WO2012142943A1 - Method and device for defense by using sandbox, and secure browser - Google Patents

Method and device for defense by using sandbox, and secure browser Download PDF

Info

Publication number
WO2012142943A1
WO2012142943A1 PCT/CN2012/074241 CN2012074241W WO2012142943A1 WO 2012142943 A1 WO2012142943 A1 WO 2012142943A1 CN 2012074241 W CN2012074241 W CN 2012074241W WO 2012142943 A1 WO2012142943 A1 WO 2012142943A1
Authority
WO
WIPO (PCT)
Prior art keywords
target object
sandbox
operated
target
execution
Prior art date
Application number
PCT/CN2012/074241
Other languages
French (fr)
Chinese (zh)
Inventor
范纪鍠
潘剑锋
孙晓骏
路健华
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2012142943A1 publication Critical patent/WO2012142943A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the present application relates to the field of computer security technologies, and in particular, to a method and device for defending by using a sandbox and a secure browser.
  • the sandbox (also known as the sandbox) is a program's isolated operating mechanism that is designed to restrict the permissions of untrusted processes.
  • Sandbox technology is often used to execute untested or untrustworthy client programs.
  • sandboxing technology provides virtualized disk, memory, and network resources for untrusted clients, and this virtualization is transparent to the client. Because the resources in the sandbox are virtualized (or indirectly), the malicious behavior of untrusted programs in the sandbox is often confined to the sandbox, protecting the original state of the system.
  • sandbox technology can put a program into a sandbox, so that all files and registry created, modified, and deleted by the program will be redirected by virtualization, that is, all operations are virtual, true.
  • virtualization that is, all operations are virtual, true.
  • the files and registry will not be altered, which will ensure that the virus cannot make changes to critical parts of the system and damage the system.
  • sandbox technology offers two types of sandboxes: one is a specific sandbox, for example:
  • Chrome uses sandbox technology to put the rendering engine or Flash in a sandbox to keep the browser safe; there is also a universal sandbox, such as: Sandboxie (another browser) Provide the user with a sandbox, let the user choose the software program to run in the sandbox.
  • the first problem is that the user must judge which is a risky program and needs to be placed in a sandbox. If the user does not understand the characteristics of the program, he or she may choose an error. Problem 2, Incorrect use of the sandbox, such as placing the editor of the editing file in the sandbox, will result in file loss.
  • the present application provides a method, a device and a secure browser for defending by using a sandbox to solve
  • the present application discloses a method for defending by using a sandbox, comprising: automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object; The sandbox then imports the target object into the sandbox and performs execution of the target object in the sandbox.
  • the step of importing the target object into the sandbox and completing execution of the target object in the sandbox comprises: if the target object is a target program, importing the target program into a sandbox, in the sand The operation of the target program is completed in the box; if the target object is a target file, the associated program that executes the target file is imported into the sandbox, and the target file is run by the associated program in the sandbox; if the target object For the information input by the user, the associated program that receives the user input information is imported into the sandbox, and the associated program is run according to the user input information in the sandbox; the information input by the user includes a web address and/or a keyword.
  • the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox before performing the operation on the target object comprises: downloading the target program to the target program if the target object is a target program After the client runs, before the client runs the target program, it automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox; and/or automatically determines the target to be operated before downloading the target program. Whether the execution of the object needs to be imported into the sandbox; if the target object is the target file, after the target file or the associated program that executes the target file is downloaded to the client, the client automatically determines before the target file is run.
  • the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox comprises: determining whether the target object to be operated meets a preset matching rule, and if yes, the to-be-operated The execution of the target object needs to be imported into the sandbox; if it is not, you do not need to import the sandbox.
  • the method further includes: creating a process for automatically determining execution of the target object; determining whether the parent process of the process is in the sand In the box, if yes, performing the step of importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, continuing to determine whether the target object to be operated is The steps to match the preset matching rules.
  • the method further comprises: determining whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, executing the The step of importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, continuing to determine whether the target object to be operated conforms to a preset matching rule.
  • the method further includes: determining whether the target object to be operated is in a white list, and if not in the white list, the to-be-operated The target object is an unknown object, and the step of judging whether the target object to be operated meets the preset matching rule is continued; if in the white list, the sandbox does not need to be imported.
  • the method before determining whether the target object to be operated meets the preset matching rule, the method further includes: determining whether the target object to be operated is in a blacklist, and if in the blacklist, executing the And the step of importing the target object into the sandbox and completing the execution of the target object in the sandbox; if not in the blacklist, continuing to determine whether the target object to be operated meets the preset matching rule.
  • determining whether the target object to be operated meets a preset matching rule comprises: querying a preset database, and comparing the target object to be operated with a preset rule in the database, if the database is in the database If it is queried, it will match the matching rule; if it is not queried, it will not match Match rules.
  • determining whether the target object to be operated meets the preset matching rule comprises: determining, according to the information of the target object, the Whether the target object conforms to a preset matching rule; and/or, according to information of the source program of the target object, whether the target object meets a preset matching rule.
  • the information of the target object includes at least one of the following: a file path of the target object, encrypted data, a file attribute, an icon feature value, a file feature value, a download source; and the information of the source program includes at least one of the following: Source file path, encrypted data, file attributes, icon feature values, file feature values, download source.
  • determining whether the target object to be operated meets the preset matching rule comprises: determining whether the information input by the user meets a preset matching rule .
  • the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox comprises: automatically determining, by the server end, whether the execution of the target object to be operated needs to be imported into the sandbox according to the request of the client; And/or, the client automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox.
  • the method further includes: popping up the prompt window to prompt the user whether to import the sandbox, and importing the target object according to the positive input of the user
  • the sandbox completes execution of the target object in the sandbox.
  • the present application also provides a computer readable recording medium having recorded thereon a method for performing the above-described defense using a sandbox.
  • the application also provides a device for defending by using a sandbox, comprising:
  • a judging module configured to automatically determine whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object
  • the execution module is configured to: if the judgment result of the determination module is that the sandbox needs to be imported, import the target object into the sandbox and complete execution of the target object in the sandbox.
  • the execution module introduces the target object into the sandbox and in the sandbox When the execution of the target object is completed,
  • the target object is a target program
  • the target program is imported into a sandbox to complete the operation of the target program in the sandbox;
  • the target object is a target file
  • the target object is information input by the user, importing the associated program that receives the user input information into a sandbox, and running the associated program according to the user input information in the sandbox; the information input by the user includes a web address and/or Or keywords.
  • the determining module is configured to: if the target object is a target program, download the target program to the client, and automatically determine the target object to be operated before the client runs the target program Whether the execution needs to import the sandbox; and/or, before downloading the target program, automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox;
  • the target object is a target file, downloading the target file or the associated program executing the target file to the client, and automatically determining whether the execution of the target object to be operated is required before the client runs the target file Importing a sandbox; and/or automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before downloading the target file or executing an associated program of the target file online;
  • the target object is information input by the user, when the user inputs the information, it is automatically determined whether the execution of the target object to be operated needs to be imported into the sandbox.
  • the determining module includes: a rule determining module, configured to determine whether the target object to be operated meets a preset matching rule before performing an operation on the target object, and if yes, the target object to be operated The execution needs to be imported into the sandbox; if it is not, you do not need to import the sigma phase.
  • a rule determining module configured to determine whether the target object to be operated meets a preset matching rule before performing an operation on the target object, and if yes, the target object to be operated The execution needs to be imported into the sandbox; if it is not, you do not need to import the sigma phase.
  • the determining module further includes: a parent process determining module, configured to: before the rule determining module determines whether the target object to be operated meets a preset matching rule, create a method for automatically determining the target object After executing the process, determining whether the parent process of the process is in a sandbox, and if so, triggering the execution module to import the target object into the sandbox and complete execution of the target object in the sandbox If not, triggering the rule determination module to continue to determine the location Whether the target object of the operation is consistent with the preset matching rule.
  • a parent process determining module configured to: before the rule determining module determines whether the target object to be operated meets a preset matching rule, create a method for automatically determining the target object After executing the process, determining whether the parent process of the process is in a sandbox, and if so, triggering the execution module to import the target object into the sandbox and complete execution of the target object in the sandbox If not, triggering the rule determination
  • the determining module further includes: a user selection determining module, configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, trigger the execution module to import the target object The sandbox completes execution of the target object in the sandbox; if not, triggering the rule determination module to continue to determine whether the target object to be operated meets a preset matching rule.
  • a user selection determining module configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, trigger the execution module to import the target object The sandbox completes execution of the target object in the sandbox; if not, triggering the rule determination module to continue to determine whether the target object to be operated meets a preset matching rule.
  • the determining module further includes: a whitelist determining module, configured to determine whether the target object to be operated is in a whitelist, and if not in the whitelist, the target object to be operated is an unknown object, triggering
  • the rule judging module continues to determine whether the target object to be operated meets the preset matching rule; if in the white list, the sandbox does not need to be imported.
  • the determining module further includes: a blacklist determining module, configured to determine whether the target object to be operated is in a blacklist, and if in the blacklist, triggering the executing module to import the target object The sandbox is completed and the execution of the target object is completed in the sandbox; if not in the blacklist, the rule determination module is triggered to continue to determine whether the target object to be operated conforms to a preset matching rule.
  • a blacklist determining module configured to determine whether the target object to be operated is in a blacklist, and if in the blacklist, triggering the executing module to import the target object The sandbox is completed and the execution of the target object is completed in the sandbox; if not in the blacklist, the rule determination module is triggered to continue to determine whether the target object to be operated conforms to a preset matching rule.
  • the rule determining module is configured to: determine, according to the information of the target object, whether the target object meets a preset matching rule, when the target object to be operated is a target program and/or an object file; And/or, determining, according to the information of the source program of the target object, whether the target object meets a preset matching rule;
  • the information of the target object includes at least one of the following: a file path of the target object, an encrypted data, a file attribute, an icon feature value, a file feature value, and a download source;
  • the information of the source program includes at least one of the following: File path of the program, encrypted data, file attributes, icon feature values, file feature values, download sources;
  • the target object to be operated is information input by the user, it is determined whether the information input by the user conforms to a preset matching rule.
  • the device further includes: a prompting module, configured to: after the execution module determines that the sandbox needs to be imported, import the target object into the sandbox and complete execution of the target object in the sandbox , a pop-up prompt window prompts the user whether to import the sandbox; and according to the user's affirmation
  • the input invokes the execution module to import the target object into the sandbox and complete execution of the target object in the sandbox.
  • the present application also provides a secure browser including the device for defense using a sandbox as described above. Compared with the prior art, the present application includes the following advantages:
  • the present application provides a method for intelligent determination, which can automatically determine whether the execution of the target object needs to be imported into a sandbox before the user performs an operation on the target object, thereby bringing the following advantages:
  • the target object described in the present application may be not only the target program but also the target file or information input by the user. Therefore, the present application can not only automatically judge some software programs, but also automatically judge whether the execution of files such as pictures is safe, and can also automatically judge the information such as the URL and keywords input by the user, if the website or keyword Is a movie website, open a new browser to browse the website in the sandbox.
  • the present application can not only automatically judge some software programs, but also automatically judge whether the execution of files such as pictures is safe, and can also automatically judge the information such as the URL and keywords input by the user, if the website or keyword Is a movie website, open a new browser to browse the website in the sandbox.
  • FIG. 1 is a flowchart of a method for defending by using a sandbox according to an embodiment of the present application
  • FIG. 2 is a flowchart of a method for defending by using a sandbox according to a preferred embodiment of the present application
  • FIG. 3 is a preferred implementation of the present application.
  • the present application provides an intelligent decision method, which can Before the user performs an operation on the target object, it is automatically determined whether the execution of the target object needs to be imported into the sandbox, thereby helping the user decide which risky programs need to run in the sandbox.
  • Step 101 Before performing an operation on the target object, trigger the following defense steps;
  • Step 102 The target object to be operated is automatically determined whether the execution of the target object needs to be imported into a sandbox;
  • step 103 If yes, go to step 103; if no, go to step 104.
  • Step 103 If the sandbox needs to be imported, the execution of the target object is completed in the sandbox.
  • a prompt window may be popped up to prompt the user to import the sandbox, so that the user can freely select according to the result of the automatic judgment.
  • the target object includes, but is not limited to, a target program, an object file, and information input by the user. The details are described below separately.
  • the target program is generally referred to as an executable file such as an e-book, an online player, a serial number generator, and the like.
  • Step 102 can be triggered to automatically determine to prevent the malicious program from damaging the system; and/or to trigger before downloading the target program, thereby pre-defending the malicious program before downloading it to the client.
  • defense protection can also be triggered before running. In short, automatic judgment can be made before any operation on the target program to protect the security of the system.
  • the execution of the sequence means: The target program is imported into the sandbox to complete the running of the target program in the sandbox. For example, for a porn player on a website, put the player in a sandbox to run.
  • the target file usually refers to an unexecutable file such as a picture, and execution of such an object file needs to be performed by an associated program. For example, for a picture, a picture browser needs to be launched to browse, and the picture browser is an associated program of the picture file.
  • the completion of the execution of the target file in the sandbox means: importing the associated program that executes the target file into the sandbox, and the associated program runs in the sandbox.
  • Target file For example, for an untrusted image file, you can import the image browser into the sandbox to open the image.
  • the user may also trigger the execution of the step 102 in multiple manners, including but not limited to: after the target file or the associated program that executes the target file is downloaded to the client, the target file is run on the client. Trigger before; and/or, trigger before downloading the target file or executing the associated program of the target file online. In summary, automatic judgment can be made before any operation on the target file to protect the security of the system.
  • the information input by the user includes information such as a web address, a keyword, and the like input by the user.
  • the step 102 is triggered to perform security defense when the user inputs the information, that is, whether the information such as the website address and the keyword input by the user is safe and trustworthy, and if not, the step is performed. 103.
  • the completion of the execution of the user input information in the sandbox means: importing the associated program that receives the user input information into the sandbox, and inputting the user according to the user in the sandbox
  • the information runs the associated program. For example, for a suspicious URL, a new browser is opened in the sandbox to link to the website corresponding to the URL, and the browser program is the associated program that receives the URL input.
  • the method shown in Fig. 1 can automatically judge whether the execution needs to be imported into the sandbox.
  • the automatic judgment method provided by the embodiment of the present application includes, but is not limited to: determining whether the target object to be operated meets a preset match. The rule, if it is met, the execution of the target object to be operated needs to be imported into the sandbox; if it is not, the sandbox does not need to be imported.
  • the determining may be: querying a preset database, comparing the target object to be operated with a preset rule in the database, and if queried in the database, matching the matching rule; If it is queried, it does not match the matching rule. That is, the rules for storing various judgments are stored in the database, or the characteristics of the objects that match the matching rules are directly stored. If the target object to be operated is queried in the database, it indicates that the execution of the target object needs to be imported into the sandbox.
  • determining whether the target object to be operated meets the preset matching rule comprises: determining whether the related information of the target object meets the preset a matching rule; and/or, determining whether the related information of the source program of the target object conforms to a preset matching rule.
  • the related information of the target object includes:
  • the file path of the target object and / or
  • Encrypted data of the target object (such as MD5), and / or
  • File attributes of the target object (such as product name, version information, signature issuer, file size, etc.), and/or
  • Icon feature values (such as icon hash values) of the target object, and / or
  • the file feature value of the target object (such as a file hash value), and / or
  • the download source of the target object (such as which website to download from);
  • the related information of the target object includes at least one of the above information.
  • the related information of the source program includes:
  • the file path of the source program and / or
  • Encrypted data from the source program (such as MD5), and / or
  • File attributes of the source program (such as product name, version information, signature issuer, file size, etc.), and/or
  • the icon feature value of the source program (such as an icon hash), and / or
  • File feature values (such as file hash values) of the source program, and/or The source of the download of the source program (such as which website to download from);
  • the related information of the source program includes at least one of the above information.
  • the matching rule may be:
  • Example 1 For pornographic players on the site, the matching rules are as follows:
  • the source program is: a browser program or a resource manager
  • Target file name Contains "Japan AV” or "Erotic” ...;
  • the file icon of the target is a specific player icon
  • the target file size can be limited to a range, such as: 1MB ⁇ 10MB;
  • the player that meets the above rules is judged to be a pornographic player.
  • Example 2 For an unknown risk e-book, the matching rules are as follows:
  • Target file name A keyword containing an "e-book"
  • the feature value of the target file icon contains: The characteristics of the icon of the e-book.
  • Example 3 For an unknown risky sequencer generator, the matching rules are as follows:
  • Target file name There are keywords that contain "serial number generator” or “keygen” or “cracker” or “debug machine”;
  • the feature values of the target file icon include: The characteristics of the icon of the sequencer generator.
  • sequence number generator that meets the above rules can be judged as a risky sequence number generator.
  • determining whether the target object to be operated meets the preset matching rule comprises: determining whether the information input by the user conforms to a preset matching rule.
  • the URL input by the user is the URL of some pornographic websites, or whether the keyword input by the user contains information such as "Japanese AV" or "erotic". Letter entered by user
  • the information can be pre-determined whether the website to be browsed by the user or the web page to be searched needs to be placed in a sandbox.
  • the following automatic determination may be preferentially performed, as follows:
  • Determining whether the parent process of the process is in the sandbox if yes, the execution of the target object to be operated needs to be imported into the sandbox; if not, continuing to determine whether the target object to be operated meets the preset match rule.
  • the process for automatically determining the execution of the target object has a parent process
  • the process for automatic judgment is called a child process. If the parent process has been imported into the sandbox, indicating that the parent process is untrustworthy, the child process called by the parent process is also untrusted, so the child process should also be imported into the sandbox for execution.
  • the user can participate in selecting whether to put in the sandbox. If the user has actively selected to put in the sandbox, no automatic judgment of the matching rule is needed.
  • determining whether the target object to be operated meets the preset matching rule determining whether the target object to be operated is in the white list, and if not in the white list, the target object to be operated is an unknown object And continuing to determine whether the target object to be operated meets the preset matching rule; if in the white list, it is not required to import the sandbox.
  • the safer target objects are listed in the whitelist, and the target objects in the whitelist can be directly executed without being imported into the sandbox. If the target object to be operated is in the white list, the automatic judgment of the matching rule can be dispensed with. If the target object to be operated is not in the white list, indicating that the target object to be operated is an unknown object, further automatic judgment is required.
  • the target object that is not trusted is listed in the blacklist. If the target object to be operated is in the blacklist, it is directly imported into the sandbox; but if it is not in the blacklist, the pending operation cannot be excluded. The target object must be secure, so it is necessary to continue to judge the matching rules.
  • the target object to be operated is in the blacklist, it can also be directly intercepted without being placed in a sandbox, which can be selected by the user.
  • the above 1) to 4) can be used separately before the judgment of the matching rule, or can be combined before use in the judgment of the matching rule.
  • the embodiment of the present application further provides the following two implementation manners:
  • the server automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox.
  • the server side stores various rules for automatic judgment. If the target program or target file to be operated has been downloaded to the client, when the user clicks and executes, the client sends a request for the judgment to the server, and the server sends the request to the server. Make an automatic judgment. Or, before downloading the target program or target file from the server, the server determines whether to import the sandbox download according to the download request of the client. Alternatively, when the user inputs a web address or a keyword, the server automatically judges based on the user's input.
  • the client stores various rules for automatic judgment and updates it regularly from the server.
  • the client can automatically judge the user before the target object is operated.
  • the foregoing embodiment provides a method for intelligent determination, which can automatically determine whether the execution of the target object needs to be imported into a sandbox before the user performs an operation on the target object, thereby bringing the following advantages:
  • the present application also provides the preferred embodiment shown in FIG. 2.
  • FIG. 2 there is shown a flow chart of a method for defending by using a sandbox according to a preferred embodiment of the present application.
  • the target object is similar to the target file and the user input information, and will not be described in detail.
  • Step 201 creating a process
  • Step 202 Determine whether the parent process is in a sandbox
  • step 208 If the parent process is in the sandbox, then go to step 208;
  • step 203 If the parent process is not in the sandbox, proceed to step 203.
  • Step 203 determining whether the user chooses to import the execution of the target program to be operated into the sandbox; if the user has selected to import the execution of the target program to be operated into the sandbox, then the process proceeds to step 208;
  • Step 204 Determine whether the target program to be operated is in a white list.
  • step 209 If it is in the white list, then go to step 209;
  • step 205 is continued.
  • Step 205 Determine whether the target object to be operated is in a blacklist.
  • step 208 If it is in the blacklist, then go to step 208;
  • step 206 If it is not in the blacklist, proceed to step 206.
  • Step 206 Determine whether the target program is a specific type of program
  • step 207 If yes, proceed to step 207; If not, then go to step 209.
  • Step 207 a pop-up prompt window prompts the user that the target program is to be executed in the sandbox; if the user selects to import, the target program is added to the sandbox running list.
  • step 208 the operation of writing, deleting, and modifying the file/registry of the target program is started in the sandbox, and the process ends.
  • step 209 the target program is run in a general environment (non-sandbox mode), and the process ends. It should be noted that the order of the foregoing steps 203 to 205 can also be replaced, but all need to be before step 206.
  • FIG. 3 there is shown a block diagram of a device for defense using a sandbox according to a preferred embodiment of the present application.
  • the device may include the following modules:
  • the judging module 31 is configured to automatically determine whether the execution of the target object to be operated needs to be imported into the sandbox before performing the operation on the target object;
  • the execution module 32 is configured to: if the judgment result of the determination module 31 is that the sandbox needs to be imported, the target object is imported into the sandbox and the execution of the target object is completed in the sandbox; if not, the target can be completed outside the sandbox The execution of the object.
  • the target object includes but is not limited to: a target program, an object file, and information input by the user.
  • Execution module 32 when the target object is imported into the sandbox and the execution of the target object is completed in the sandbox:
  • the execution module 32 imports the target program Sandbox, complete the operation of the target program in the sandbox;
  • the execution module 32 imports the associated program that executes the target file into the sandbox, and the target file is run by the associated program in the sandbox;
  • the executing module 32 imports the associated program that receives the user input information into a sandbox, and runs the associated program according to the user input information in the sandbox; Information includes URLs and/or keywords.
  • the determining module 31 is configured to: if the target object is a target program, the determining module 31 automatically downloads the target program to be downloaded to the client, and automatically determines the to-be-operated operation before the client runs the target program Whether the execution of the target object needs to be imported into the sandbox; and/or, before downloading the target program, automatically determining whether the execution of the target object to be operated needs to be imported into the sand phase;
  • the determining module 31 downloads the target file or the associated program that executes the target file to the client, and automatically determines the target to be operated before the client runs the target file. Whether the execution of the object needs to be imported into the sandbox; and/or, before downloading the target file or executing the associated program of the target file online, automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox;
  • the determining module 31 automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox when the user inputs the information.
  • the determining module 31 may include:
  • the rule judging module 311 is configured to determine whether the target object to be operated meets a preset matching rule before performing an operation on the target object, and if yes, the execution of the target object to be operated needs to be imported into the sandbox; If it does not match, you do not need to import the sandbox.
  • the rule determining module 311 determines whether the related information of the target object meets a preset matching rule; and/or determines the target Whether the information related to the source program of the object conforms to a preset matching rule 'J; wherein the related information of the target object includes a file path of the target object, and/or encrypted data, and/or file attributes, and/or icons The feature value, and/or the file feature value, and/or the download source, ie, at least one of the above information; the related information of the source program includes the file of the source program Path, and/or encrypted data, and/or file attributes, and/or icon feature values, and/or file feature values, and/or download sources, ie, at least one of the above information;
  • the rule determining module 311 determines whether the information input by the user meets a preset matching rule.
  • the determining module 31 may further include:
  • the parent process judging module 312 is configured to: after the rule judging module judges 311 whether the target object to be operated meets the preset matching rule, and after creating a process for automatically determining the execution of the target object, determining the process Whether the parent process is in the sandbox, if yes, the execution of the target object to be operated needs to be imported into the sandbox, triggering the execution module 32 to import the target object into the sandbox and in the sandbox The execution of the target object is completed; if not, the rule determination module 311 is triggered to continue to determine whether the target object to be operated meets a preset matching rule.
  • the determining module 31 may further include:
  • the user selection judging module 313 is configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox. If yes, the execution of the target object to be operated needs to be imported into the sandbox, and the execution module 32 is triggered. Importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, triggering the rule determination module 311 to continue to determine whether the target object to be operated meets a preset match rule.
  • the determining module 31 may further include:
  • the whitelist determination module 314 is configured to determine whether the target object to be operated is in the whitelist. If the target object to be operated is not in the whitelist, the target object to be operated is an unknown object, and the rule determination module 311 is triggered to continue to determine the location. Whether the target object of the operation is in compliance with the preset matching rule; if it is in the white list, it is not necessary to import the sandbox.
  • the determining module 31 may further include:
  • the blacklist determination module 315 is configured to determine whether the target object to be operated is in the blacklist. If the target object to be operated is in the blacklist, the execution of the target object to be operated needs to be imported into the sandbox, and the execution module 32 is triggered. The target object is imported into the sandbox and the execution of the target object is completed in the sandbox; if not in the blacklist, the rule determination module 311 is triggered to continue to determine whether the target object to be operated meets the preset Matching rules.
  • the device may further include:
  • the prompting module 33 is configured to: after the execution module 32 determines that the sandbox needs to be imported, import the target object into the sandbox and complete the execution of the target object in the sandbox, and pop up a prompt window to prompt the user whether Importing a sandbox; and invoking the execution module 32 to import the target object into the sandbox according to the user's positive input and complete execution of the target object in the sandbox.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the above-mentioned device that uses the sandbox technology for defense can be deployed on the server side or on the client side.
  • the user Before the user performs an operation on the target object, it is automatically determined whether the execution of the target object needs to be imported into the sandbox, and the user is determined to determine which The risk program needs to be run in the sandbox to avoid the loss of user data caused by placing the safe and risk-free program in the sandbox, and because it does not require user participation, it does not affect the user's operation and is easy to use.
  • the device of the present application further provides a security browser, and the browser includes a device for performing system defense by using a sandbox technology as described in the foregoing embodiment of FIG. 3, and
  • the method described in FIG. 1 or FIG. 2 is used to automatically determine whether the execution of the target object to be operated needs to be imported into the sandbox.
  • the embodiment of the present application further provides a computer readable recording medium on which a program for performing the method for defending using the sandbox technology of the present application is recorded.
  • the computer readable recording medium includes any mechanism for storing or transmitting information in a form readable by a computer.
  • a machine-readable medium includes a read only memory (ROM), a random access memory (RAM), a magnetic disk storage medium, an optical storage medium, a flash storage medium, an electrical, optical, acoustic, or other form of propagated signal, etc. (eg, Carrier, infrared signal, data signal, etc.).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This application provides a method and a device for defense by using a sandbox, and a secure browser, so as to solve the problem of a sandbox technology where a user performs selection in the prior art. The method comprises: before executing an operation on a target object, automatically judging whether execution of the target object to be operated needs to be introduced into a sandbox; and if it is determined that the execution of the target object needs to be introduced into the sandbox, introducing the target object into the sandbox and completing the execution of the target object in the sandbox. In this application, before a user executes an operation on a target object, it is automatically judged whether the execution of the target object needs to be introduced into the sandbox, so as to help the user to decide which risky programs need to be run in the sandbox.

Description

利用沙箱进行防御的方法、 装置及安全浏览器 技术领域  Method, device and secure browser for using sandbox for defense
本申请涉及计算机安全技术领域,特别是涉及一种利用沙箱进行防御的 方法、 装置及一种安全浏览器。  The present application relates to the field of computer security technologies, and in particular, to a method and device for defending by using a sandbox and a secure browser.
 Say
背景技术 Background technique
在计算机安全领域, 沙箱 (也称为沙盒)是一种程序的隔离运行机制, 其 目的是限制不可信进程的权限。 沙箱技术经常被用于执行未经测试的或不可 信的客户程序。 为了避免不可信程序可能破坏书其它程序的运行, 沙箱技术通 过为不可信客户程序提供虚拟化的磁盘、 内存以及网络资源, 而这种虚拟化 手段对客户程序来说是透明的。 由于沙箱里的资源被虚拟化(或被间接化), 所以沙箱里的不可信程序的恶意行为往往会被限制在沙箱中,从而保护系统 原有的状态。  In the field of computer security, the sandbox (also known as the sandbox) is a program's isolated operating mechanism that is designed to restrict the permissions of untrusted processes. Sandbox technology is often used to execute untested or untrustworthy client programs. In order to prevent untrusted programs from disrupting the operation of other programs in the book, sandboxing technology provides virtualized disk, memory, and network resources for untrusted clients, and this virtualization is transparent to the client. Because the resources in the sandbox are virtualized (or indirectly), the malicious behavior of untrusted programs in the sandbox is often confined to the sandbox, protecting the original state of the system.
具体来说,沙箱技术可以将一个程序放入沙箱运行,这样该程序所创建、 修改、 删除的所有文件和注册表都会被虚拟化重定向, 也就是说所有操作都 是虚拟的, 真实的文件和注册表不会被改动, 这样可以确保病毒无法对系统 关键部位进行改动, 破坏系统。  Specifically, sandbox technology can put a program into a sandbox, so that all files and registry created, modified, and deleted by the program will be redirected by virtualization, that is, all operations are virtual, true. The files and registry will not be altered, which will ensure that the virus cannot make changes to critical parts of the system and damage the system.
目前沙箱技术提供了两种类型的沙箱: 一种是特定型沙箱, 例如: Currently sandbox technology offers two types of sandboxes: one is a specific sandbox, for example:
Chrome (一种浏览器)利用沙箱技术将渲染引擎或 Flash放在沙箱内运行, 以保证浏览器的安全; 还有一种是通用型沙箱, 例如: Sandboxie (另一种 浏览器)则提供给用户一个沙箱,让用户自行选择软件程序放入沙箱内运行。 Chrome (a browser) uses sandbox technology to put the rendering engine or Flash in a sandbox to keep the browser safe; there is also a universal sandbox, such as: Sandboxie (another browser) Provide the user with a sandbox, let the user choose the software program to run in the sandbox.
与特定型沙箱相比,上述由用户选择的通用型沙箱为用户提供了更多的 灵活性, 极大地方便了用户的使用。 但是, 这种让用户选择的方式存在以下 几个问题:  Compared with the specific sandbox, the above-mentioned universal sandbox selected by the user provides users with more flexibility and greatly facilitates the user's use. However, there are several problems with this way of making users choose:
问题一,用户必须自行判断哪些是有风险的程序,需要放在沙箱内运行, 如果用户不了解程序的特性, 就可能选择错误。 问题二, 错误地使用沙箱, 如将正在编辑文件的编辑程序放置沙箱内, 会导致文件丟失。 The first problem is that the user must judge which is a risky program and needs to be placed in a sandbox. If the user does not understand the characteristics of the program, he or she may choose an error. Problem 2, Incorrect use of the sandbox, such as placing the editor of the editing file in the sandbox, will result in file loss.
问题三, 用户自行选择的方式易用性不高, 操作复杂, 不符合用户的操 作习惯。 发明内容  Question 3: The user-selected method is not easy to use, and the operation is complicated, which does not meet the user's operating habits. Summary of the invention
本申请提供了一种利用沙箱进行防御的方法、 装置及安全浏览器, 以解  The present application provides a method, a device and a secure browser for defending by using a sandbox to solve
>之—。 为了解决上述问题,本申请公开了一种利用沙箱进行防御的方法,包括: 在对目标对象执行操作之前, 自动判断待操作的所述目标对象的执行是否需 要导入沙箱; 若确定需要导入沙箱, 则将所述目标对象导入所述沙箱并在所 述沙箱中完成该目标对象的执行。  >之—. In order to solve the above problem, the present application discloses a method for defending by using a sandbox, comprising: automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object; The sandbox then imports the target object into the sandbox and performs execution of the target object in the sandbox.
优选地,将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象 的执行的步骤包括: 如果所述目标对象为目标程序, 则将该目标程序导入沙 箱, 在沙箱中完成该目标程序的运行; 如果所述目标对象为目标文件, 则将 执行该目标文件的关联程序导入沙箱,在沙箱中由所述关联程序运行该目标 文件; 如果所述目标对象为用户输入的信息, 则将接收该用户输入信息的关 联程序导入沙箱, 在沙箱中根据该用户输入信息运行所述关联程序; 所述用 户输入的信息包括网址和 /或关键词。  Preferably, the step of importing the target object into the sandbox and completing execution of the target object in the sandbox comprises: if the target object is a target program, importing the target program into a sandbox, in the sand The operation of the target program is completed in the box; if the target object is a target file, the associated program that executes the target file is imported into the sandbox, and the target file is run by the associated program in the sandbox; if the target object For the information input by the user, the associated program that receives the user input information is imported into the sandbox, and the associated program is run according to the user input information in the sandbox; the information input by the user includes a web address and/or a keyword.
优选地, 所述在对目标对象执行操作之前, 自动判断待操作的所述目标 对象的执行是否需要导入沙箱的步骤包括: 如果所述目标对象为目标程序, 则将所述目标程序下载到客户端后, 在客户端运行该目标程序之前, 自动判 断待操作的所述目标对象的执行是否需要导入沙箱; 和 /或,在下载所述目标 程序之前, 自动判断待操作的所述目标对象的执行是否需要导入沙箱; 如果 所述目标对象为目标文件, 则将所述目标文件或执行该目标文件的关联程序 下载到客户端后, 在客户端运行该目标文件之前, 自动判断待操作的所述目 标对象的执行是否需要导入沙箱;和 /或,在下载所述目标文件或在线执行该 目标文件的关联程序之前, 自动判断待操作的所述目标对象的执行是否需要 导入沙箱;如果所述目标对象为用户输入的信息,则在用户输入所述信息时, 自动判断待操作的所述目标对象的执行是否需要导入沙箱。 Preferably, the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox before performing the operation on the target object comprises: downloading the target program to the target program if the target object is a target program After the client runs, before the client runs the target program, it automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox; and/or automatically determines the target to be operated before downloading the target program. Whether the execution of the object needs to be imported into the sandbox; if the target object is the target file, after the target file or the associated program that executes the target file is downloaded to the client, the client automatically determines before the target file is run. Whether the execution of the target object of the operation needs to be imported into the sandbox; and/or automatically determining whether the execution of the target object to be operated is required before downloading the target file or executing the associated program of the target file online Importing a sandbox; if the target object is information input by the user, when the user inputs the information, it is automatically determined whether the execution of the target object to be operated needs to be imported into the sandbox.
优选地,所述自动判断待操作的所述目标对象的执行是否需要导入沙箱 的步骤包括: 判断所述待操作的目标对象是否符合预置的匹配规则, 如果符 合, 则所述待操作的目标对象的执行需要导入沙箱; 如果不符合, 则不需要 导入沙箱。  Preferably, the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox comprises: determining whether the target object to be operated meets a preset matching rule, and if yes, the to-be-operated The execution of the target object needs to be imported into the sandbox; if it is not, you do not need to import the sandbox.
优选地,在判断所述待操作的目标对象是否符合预置的匹配规则的步骤 之前, 还包括: 创建用于自动判断所述目标对象的执行的进程; 判断所述进 程的父进程是否在沙箱内, 如果是, 则执行所述将所述目标对象导入所述沙 箱并在所述沙箱中完成该目标对象的执行的步骤; 如果否, 则继续判断所述 待操作的目标对象是否符合预置的匹配规则的步骤。  Preferably, before the step of determining whether the target object to be operated meets the preset matching rule, the method further includes: creating a process for automatically determining execution of the target object; determining whether the parent process of the process is in the sand In the box, if yes, performing the step of importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, continuing to determine whether the target object to be operated is The steps to match the preset matching rules.
优选地,在判断所述待操作的目标对象是否符合预置的匹配规则的步骤 之前,还包括:判断用户是否选择将所述待操作的目标对象的执行导入沙箱, 如果是, 则执行所述将所述目标对象导入所述沙箱并在所述沙箱中完成该目 标对象的执行的步骤; 如果否, 则继续判断所述待操作的目标对象是否符合 预置的匹配规则的步骤。  Preferably, before the step of determining whether the target object to be operated meets the preset matching rule, the method further comprises: determining whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, executing the The step of importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, continuing to determine whether the target object to be operated conforms to a preset matching rule.
优选地, 在判断所述待操作的目标对象是否符合预置的匹配规则之前, 还包括: 判断所述待操作的目标对象是否在白名单中, 如果不在白名单中, 则所述待操作的目标对象是未知对象, 继续判断所述待操作的目标对象是否 符合预置的匹配规则的步骤; 如果在白名单中, 则不需要导入沙箱。  Preferably, before determining whether the target object to be operated meets the preset matching rule, the method further includes: determining whether the target object to be operated is in a white list, and if not in the white list, the to-be-operated The target object is an unknown object, and the step of judging whether the target object to be operated meets the preset matching rule is continued; if in the white list, the sandbox does not need to be imported.
优选地, 在判断所述待操作的目标对象是否符合预置的匹配规则之前, 还包括: 判断所述待操作的目标对象是否在黑名单中, 如果在黑名单中, 则 执行所述将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的 执行的步骤; 如果不在黑名单中, 则继续判断所述待操作的目标对象是否符 合预置的匹配规则的步骤。  Preferably, before determining whether the target object to be operated meets the preset matching rule, the method further includes: determining whether the target object to be operated is in a blacklist, and if in the blacklist, executing the And the step of importing the target object into the sandbox and completing the execution of the target object in the sandbox; if not in the blacklist, continuing to determine whether the target object to be operated meets the preset matching rule.
优选地, 判断所述待操作的目标对象是否符合预置的匹配规则, 包括: 查询预置的数据库,将所述待操作的目标对象与该数据库中的预置规则进行 比较, 如果在该数据库中查询到, 则符合匹配规则; 如果未查询到, 则不符 合匹配规则。 Preferably, determining whether the target object to be operated meets a preset matching rule comprises: querying a preset database, and comparing the target object to be operated with a preset rule in the database, if the database is in the database If it is queried, it will match the matching rule; if it is not queried, it will not match Match rules.
优选地, 当所述待操作的目标对象为目标程序和 /或目标文件时, 判断 所述待操作的目标对象是否符合预置的匹配规则, 包括: 据所述目标对象的 信息, 判断所述目标对象是否符合预置的匹配规则; 和 /或, 根据所述目标对 象的来源程序的信息, 判断所述目标对象是否符合预置的匹配规则。  Preferably, when the target object to be operated is the target program and/or the target file, determining whether the target object to be operated meets the preset matching rule comprises: determining, according to the information of the target object, the Whether the target object conforms to a preset matching rule; and/or, according to information of the source program of the target object, whether the target object meets a preset matching rule.
优选地,所述目标对象的信息包括以下至少之一: 目标对象的文件路径、 加密数据、 文件属性、 图标特征值、 文件特征值、 下载来源; 所述来源程序 的信息包括以下至少之一: 来源程序的文件路径、 加密数据、 文件属性、 图 标特征值、 文件特征值、 下载来源。  Preferably, the information of the target object includes at least one of the following: a file path of the target object, encrypted data, a file attribute, an icon feature value, a file feature value, a download source; and the information of the source program includes at least one of the following: Source file path, encrypted data, file attributes, icon feature values, file feature values, download source.
优选地, 当所述待操作的目标对象为用户输入的信息时, 判断所述待操 作的目标对象是否符合预置的匹配规则, 包括: 判断所述用户输入的信息是 否符合预置的匹配规则。  Preferably, when the target object to be operated is the information input by the user, determining whether the target object to be operated meets the preset matching rule comprises: determining whether the information input by the user meets a preset matching rule .
优选地,所述自动判断待操作的所述目标对象的执行是否需要导入沙箱 的步骤包括: 根据客户端的请求, 由服务器端自动判断所述待操作的目标对 象的执行是否需要导入沙箱; 和 /或, 由客户端自动判断所述待操作的目标对 象的执行是否需要导入沙箱。  Preferably, the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox comprises: automatically determining, by the server end, whether the execution of the target object to be operated needs to be imported into the sandbox according to the request of the client; And/or, the client automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox.
优选地, 如果所述待操作的目标对象的执行需要导入沙箱, 则导入沙箱 之前, 还包括: 弹出提示窗提示用户是否导入沙箱, 根据所述用户的肯定输 入将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行。 本申请还提供了一种在其上记录有用于执行上述利用沙箱进行防御的 方法的计算机可读记录介质。 本申请还提供了一种利用沙箱进行防御的装置, 包括:  Preferably, if the execution of the target object to be operated needs to be imported into the sandbox, before the importing the sandbox, the method further includes: popping up the prompt window to prompt the user whether to import the sandbox, and importing the target object according to the positive input of the user The sandbox completes execution of the target object in the sandbox. The present application also provides a computer readable recording medium having recorded thereon a method for performing the above-described defense using a sandbox. The application also provides a device for defending by using a sandbox, comprising:
判断模块, 设置为在对目标对象执行操作之前, 自动判断待操作的所述 目标对象的执行是否需要导入沙箱;  a judging module, configured to automatically determine whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object;
执行模块, 设置为若所述判断模块的判断结果为需要导入沙箱, 则将所 述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行。  The execution module is configured to: if the judgment result of the determination module is that the sandbox needs to be imported, import the target object into the sandbox and complete execution of the target object in the sandbox.
优选地,所述执行模块在将所述目标对象导入所述沙箱并在所述沙箱中 完成该目标对象的执行时, Preferably, the execution module introduces the target object into the sandbox and in the sandbox When the execution of the target object is completed,
如果所述目标对象为目标程序, 则将该目标程序导入沙箱, 在沙箱中完 成该目标程序的运行;  If the target object is a target program, the target program is imported into a sandbox to complete the operation of the target program in the sandbox;
如果所述目标对象为目标文件,则将执行该目标文件的关联程序导入沙 箱, 在沙箱中由所述关联程序运行该目标文件;  If the target object is a target file, import the associated program that executes the target file into the sandbox, and the target file is run by the associated program in the sandbox;
如果所述目标对象为用户输入的信息,则将接收该用户输入信息的关联 程序导入沙箱, 在沙箱中根据该用户输入信息运行所述关联程序; 所述用户 输入的信息包括网址和 /或关键词。  If the target object is information input by the user, importing the associated program that receives the user input information into a sandbox, and running the associated program according to the user input information in the sandbox; the information input by the user includes a web address and/or Or keywords.
优选地, 所述判断模块, 设置为: 如果所述目标对象为目标程序, 则将 所述目标程序下载到客户端后在客户端运行该目标程序之前, 自动判断待操 作的所述目标对象的执行是否需要导入沙箱;和 /或,在下载所述目标程序之 前, 自动判断待操作的所述目标对象的执行是否需要导入沙箱;  Preferably, the determining module is configured to: if the target object is a target program, download the target program to the client, and automatically determine the target object to be operated before the client runs the target program Whether the execution needs to import the sandbox; and/or, before downloading the target program, automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox;
如果所述目标对象为目标文件,则将所述目标文件或执行该目标文件的 关联程序下载到客户端后在客户端运行该目标文件之前, 自动判断待操作的 所述目标对象的执行是否需要导入沙箱;和 /或,在下载所述目标文件或在线 执行该目标文件的关联程序之前, 自动判断待操作的所述目标对象的执行是 否需要导入沙箱;  If the target object is a target file, downloading the target file or the associated program executing the target file to the client, and automatically determining whether the execution of the target object to be operated is required before the client runs the target file Importing a sandbox; and/or automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before downloading the target file or executing an associated program of the target file online;
如果所述目标对象为用户输入的信息, 则在用户输入所述信息时, 自动 判断待操作的所述目标对象的执行是否需要导入沙箱。  If the target object is information input by the user, when the user inputs the information, it is automatically determined whether the execution of the target object to be operated needs to be imported into the sandbox.
优选地, 所述判断模块包括: 规则判断模块, 设置为在对目标对象执行 操作之前,判断所述待操作的目标对象是否符合预置的匹配规则,如果符合, 则所述待操作的目标对象的执行需要导入沙箱; 如果不符合, 则不需要导入 σ相。  Preferably, the determining module includes: a rule determining module, configured to determine whether the target object to be operated meets a preset matching rule before performing an operation on the target object, and if yes, the target object to be operated The execution needs to be imported into the sandbox; if it is not, you do not need to import the sigma phase.
优选地, 所述判断模块还包括: 父进程判断模块, 设置为在所述规则判 断模块判断所述待操作的目标对象是否符合预置的匹配规则之前,创建用于 自动判断所述目标对象的执行的进程后,判断所述进程的父进程是否在沙箱 内, 如果是, 则触发所述执行模块将所述目标对象导入所述沙箱并在所述沙 箱中完成该目标对象的执行; 如果否, 则触发所述规则判断模块继续判断所 述待操作的目标对象是否符合预置的匹配规则。 Preferably, the determining module further includes: a parent process determining module, configured to: before the rule determining module determines whether the target object to be operated meets a preset matching rule, create a method for automatically determining the target object After executing the process, determining whether the parent process of the process is in a sandbox, and if so, triggering the execution module to import the target object into the sandbox and complete execution of the target object in the sandbox If not, triggering the rule determination module to continue to determine the location Whether the target object of the operation is consistent with the preset matching rule.
优选地, 所述判断模块还包括: 用户选择判断模块, 设置为判断用户是 否选择将所述待操作的目标对象的执行导入沙箱, 如果是, 则触发所述执行 模块将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行; 如果否, 则触发所述规则判断模块继续判断所述待操作的目标对象是否符合 预置的匹配规则。  Preferably, the determining module further includes: a user selection determining module, configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, trigger the execution module to import the target object The sandbox completes execution of the target object in the sandbox; if not, triggering the rule determination module to continue to determine whether the target object to be operated meets a preset matching rule.
优选地, 所述判断模块还包括: 白名单判断模块, 设置为判断所述待操 作的目标对象是否在白名单中, 如果不在白名单中, 则所述待操作的目标对 象是未知对象,触发所述规则判断模块继续判断所述待操作的目标对象是否 符合预置的匹配规则; 如果在白名单中, 则不需要导入沙箱。  Preferably, the determining module further includes: a whitelist determining module, configured to determine whether the target object to be operated is in a whitelist, and if not in the whitelist, the target object to be operated is an unknown object, triggering The rule judging module continues to determine whether the target object to be operated meets the preset matching rule; if in the white list, the sandbox does not need to be imported.
优选地, 所述判断模块还包括: 黑名单判断模块, 设置为判断所述待操 作的目标对象是否在黑名单中, 如果在黑名单中, 则触发所述执行模块将所 述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行; 如果不在 黑名单中, 则触发所述规则判断模块继续判断所述待操作的目标对象是否符 合预置的匹配规则。  Preferably, the determining module further includes: a blacklist determining module, configured to determine whether the target object to be operated is in a blacklist, and if in the blacklist, triggering the executing module to import the target object The sandbox is completed and the execution of the target object is completed in the sandbox; if not in the blacklist, the rule determination module is triggered to continue to determine whether the target object to be operated conforms to a preset matching rule.
优选地, 所述规则判断模块设置为: 当所述待操作的目标对象为目标程 序和 /或目标文件时,根据所述目标对象的信息,判断所述目标对象是否符合 预置的匹配规则; 和 /或, 根据所述目标对象的来源程序的信息, 判断所述目 标对象是否符合预置的匹配规则;  Preferably, the rule determining module is configured to: determine, according to the information of the target object, whether the target object meets a preset matching rule, when the target object to be operated is a target program and/or an object file; And/or, determining, according to the information of the source program of the target object, whether the target object meets a preset matching rule;
其中, 所述目标对象的信息包括以下至少之一: 目标对象的文件路径、 加密数据、 文件属性、 图标特征值、 文件特征值、 下载来源; 所述来源程序 的信息包括以下至少之一: 来源程序的文件路径、 加密数据、 文件属性、 图 标特征值、 文件特征值、 下载来源;  The information of the target object includes at least one of the following: a file path of the target object, an encrypted data, a file attribute, an icon feature value, a file feature value, and a download source; the information of the source program includes at least one of the following: File path of the program, encrypted data, file attributes, icon feature values, file feature values, download sources;
当所述待操作的目标对象为用户输入的信息时,判断所述用户输入的信 息是否符合预置的匹配规则。  When the target object to be operated is information input by the user, it is determined whether the information input by the user conforms to a preset matching rule.
优选地, 所述装置还包括: 提示模块, 设置为在所述执行模块确定需要 导入沙箱之后,将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对 象的执行之前, 弹出提示窗提示用户是否导入沙箱; 并根据所述用户的肯定 输入调用所述执行模块将所述目标对象导入所述沙箱并在所述沙箱中完成 该目标对象的执行。 本申请还提供了一种安全浏览器, 包括如上所述的利用沙箱进行防御的 装置。 与现有技术相比, 本申请包括以下优点: Preferably, the device further includes: a prompting module, configured to: after the execution module determines that the sandbox needs to be imported, import the target object into the sandbox and complete execution of the target object in the sandbox , a pop-up prompt window prompts the user whether to import the sandbox; and according to the user's affirmation The input invokes the execution module to import the target object into the sandbox and complete execution of the target object in the sandbox. The present application also provides a secure browser including the device for defense using a sandbox as described above. Compared with the prior art, the present application includes the following advantages:
首先, 本申请提供了一种智能判定的方法, 可以在用户对目标对象执行 操作之前, 自动判断所述目标对象的执行是否需要导入沙箱, 由此带来以下 优点:  First, the present application provides a method for intelligent determination, which can automatically determine whether the execution of the target object needs to be imported into a sandbox before the user performs an operation on the target object, thereby bringing the following advantages:
第一, 可以帮助用户决定哪些有风险的程序需要在沙箱内运行, 而不需 要用户自行判断;  First, it can help users decide which risky programs need to be run in the sandbox without the user's own judgment;
第二, 避免将安全无风险的程序放置沙箱内运行导致用户数据的丟失; 第三, 无需用户的参与, 因此不影响用户的操作, 易用性高。  Secondly, avoiding the loss of user data by placing the safe and risk-free program in the sandbox; Thirdly, without the user's participation, the user's operation is not affected, and the ease of use is high.
其次, 本申请所述的目标对象不仅可以是目标程序, 还可以是目标文件 或用户输入的信息。 因此, 本申请不仅可以对一些软件程序进行自动判断, 还可以对图片等文件的执行是否安全进行自动判断, 而且还可以对用户输入 的网址、 关键词等信息进行自动判断, 如果网址或关键词是某电影网站, 则 打开一个新的浏览器在沙箱内去浏览这个网站。 附图说明  Secondly, the target object described in the present application may be not only the target program but also the target file or information input by the user. Therefore, the present application can not only automatically judge some software programs, but also automatically judge whether the execution of files such as pictures is safe, and can also automatically judge the information such as the URL and keywords input by the user, if the website or keyword Is a movie website, open a new browser to browse the website in the sandbox. DRAWINGS
图 1是本申请实施例所述一种利用沙箱进行防御的方法流程图; 图 2是本申请优选实施例所述一种利用沙箱进行防御的方法流程图; 图 3是本申请优选实施例所述一种利用沙箱进行防御的装置结构图。 具体实施方式  1 is a flowchart of a method for defending by using a sandbox according to an embodiment of the present application; FIG. 2 is a flowchart of a method for defending by using a sandbox according to a preferred embodiment of the present application; FIG. 3 is a preferred implementation of the present application. An example of a device structure for using a sandbox for defense. detailed description
为使本申请的上述目的、 特征和优点能够更加明显易懂, 下面结合附图 和具体实施方式对本申请作进一步详细的说明。  The above described objects, features and advantages of the present invention will become more apparent from the detailed description.
对于采用了沙箱技术的系统, 本申请提供了一种智能判定的方法, 可以 在用户对目标对象执行操作之前, 自动判断所述目标对象的执行是否需要导 入沙箱, 从而帮助用户决定哪些有风险的程序需要在沙箱内运行。 For systems employing sandbox technology, the present application provides an intelligent decision method, which can Before the user performs an operation on the target object, it is automatically determined whether the execution of the target object needs to be imported into the sandbox, thereby helping the user decide which risky programs need to run in the sandbox.
下面通过实施例进行详细说明。 参照图 1 , 是本申请实施例所述一种利用沙箱进行防御的方法流程图。 步骤 101 , 在对目标对象执行操作之前, 触发以下防御步骤;  The details will be described below by way of examples. Referring to FIG. 1 , it is a flowchart of a method for defending by using a sandbox according to an embodiment of the present application. Step 101: Before performing an operation on the target object, trigger the following defense steps;
步骤 102, 对待操作的目标对象, 自动判断所述目标对象的执行是否需 要导入沙箱;  Step 102: The target object to be operated is automatically determined whether the execution of the target object needs to be imported into a sandbox;
如果是, 则执行步骤 103; 如果否, 则执行步骤 104。  If yes, go to step 103; if no, go to step 104.
步骤 103 , 如果需要导入沙箱, 则在沙箱中完成该目标对象的执行。 步骤 104, 如果不需要导入沙箱, 则在沙箱外完成该目标对象的执行。 即按照正常的处理流程执行该目标对象。  Step 103: If the sandbox needs to be imported, the execution of the target object is completed in the sandbox. Step 104: If the sandbox does not need to be imported, the execution of the target object is completed outside the sandbox. That is, the target object is executed according to the normal processing flow.
优选地, 如果所述待操作的目标对象的执行需要导入沙箱, 则导入沙箱 之前, 还可以弹出提示窗提示用户是否导入沙箱, 以方便用户根据自动判断 的结果进行自由选择。  Preferably, if the execution of the target object to be operated needs to be imported into the sandbox, before the sandbox is imported, a prompt window may be popped up to prompt the user to import the sandbox, so that the user can freely select according to the result of the automatic judgment.
上述实施例中, 所述目标对象包括但不限于目标程序、 目标文件和用户 输入的信息。 下面分别进行详细说明。  In the above embodiment, the target object includes, but is not limited to, a target program, an object file, and information input by the user. The details are described below separately.
( 1 ) 目标程序  (1) Target procedure
所述目标程序通常指可执行文件, 如电子书、 在线播放器、 序号生成器 等。  The target program is generally referred to as an executable file such as an e-book, an online player, a serial number generator, and the like.
用户可通过多种方式触发步骤 102的执行, 触发方式包括但不限于: 将 目标程序下载到客户端后, 通过双击或在右键菜单中点击 "打开" 等方式在 客户端运行该目标程序之前, 可触发步骤 102进行自动判断, 从而防止恶意 程序的运行破坏系统; 和 /或, 在下载目标程序之前进行触发, 从而在将恶意 程序下载到客户端之前就提前进行了防御。 此外, 对于一些可在线运行的目 标程序, 也可以在运行之前触发防御保护。 总之, 在对目标程序的任何操作 之前都可进行自动判断, 以保护系统的安全性。  The user can trigger the execution of step 102 in a plurality of manners, including but not limited to: after downloading the target program to the client, by double-clicking or clicking "open" in the right-click menu, before the client runs the target program, Step 102 can be triggered to automatically determine to prevent the malicious program from damaging the system; and/or to trigger before downloading the target program, thereby pre-defending the malicious program before downloading it to the client. In addition, for some target programs that can be run online, defense protection can also be triggered before running. In short, automatic judgment can be made before any operation on the target program to protect the security of the system.
对于判断为需要导入沙箱执行的目标程序, 所述在沙箱中完成该目标程 序的执行是指: 将该目标程序导入沙箱, 在沙箱中完成该目标程序的运行。 例如, 对于某网站上的色情播放器, 将该播放器放入沙箱中运行。 For the target program determined to be required to be imported into the sandbox, the target is completed in the sandbox The execution of the sequence means: The target program is imported into the sandbox to complete the running of the target program in the sandbox. For example, for a porn player on a website, put the player in a sandbox to run.
( 2 ) 目标文件  (2) Target file
所述目标文件通常指图片等不可执行文件, 这种目标文件的执行需要由 关联程序完成。 例如, 对于图片, 需要启动图片浏览器来浏览, 所述图片浏 览器即为该图片文件的关联程序。  The target file usually refers to an unexecutable file such as a picture, and execution of such an object file needs to be performed by an associated program. For example, for a picture, a picture browser needs to be launched to browse, and the picture browser is an associated program of the picture file.
对于判断为需要导入沙箱执行的目标文件, 所述在沙箱中完成该目标文 件的执行是指: 将执行该目标文件的关联程序导入沙箱, 在沙箱中由所述关 联程序运行该目标文件。 例如, 对于不可信的图片文件, 可以将图片浏览器 导入沙箱来打开该图片。  For the target file that is determined to be imported into the sandbox, the completion of the execution of the target file in the sandbox means: importing the associated program that executes the target file into the sandbox, and the associated program runs in the sandbox. Target file. For example, for an untrusted image file, you can import the image browser into the sandbox to open the image.
针对目标文件, 用户也可通过多种方式触发步骤 102的执行, 触发方式 包括但不限于: 将所述目标文件或执行该目标文件的关联程序下载到客户端 后, 在客户端运行该目标文件之前进行触发; 和 /或, 在下载所述目标文件或 在线执行该目标文件的关联程序之前进行触发。 总之, 在对目标文件的任何 操作之前都可进行自动判断, 以保护系统的安全性。  For the target file, the user may also trigger the execution of the step 102 in multiple manners, including but not limited to: after the target file or the associated program that executes the target file is downloaded to the client, the target file is run on the client. Trigger before; and/or, trigger before downloading the target file or executing the associated program of the target file online. In summary, automatic judgment can be made before any operation on the target file to protect the security of the system.
( 3 )用户输入的信息  (3) User input information
用户输入的信息包括用户输入的网址、 关键词等信息。  The information input by the user includes information such as a web address, a keyword, and the like input by the user.
如果所述目标对象为用户输入的信息, 则通常在用户输入所述信息时触 发步骤 102进行安全防御, 即判断用户输入的网址、 关键词等信息是否安全 可信, 如果不可信, 则执行步骤 103。  If the target object is the information input by the user, the step 102 is triggered to perform security defense when the user inputs the information, that is, whether the information such as the website address and the keyword input by the user is safe and trustworthy, and if not, the step is performed. 103.
对于判断为需要导入沙箱执行的用户输入信息, 所述在沙箱中完成该用 户输入信息的执行是指: 将接收该用户输入信息的关联程序导入沙箱, 在沙 箱中根据该用户输入信息运行所述关联程序。 例如, 对于存在可疑的网址, 在沙箱中新打开一个浏览器来链接到该网址对应的网站, 所述浏览器程序即 为接收网址输入的关联程序。  For the user input information that is determined to be required to be imported into the sandbox, the completion of the execution of the user input information in the sandbox means: importing the associated program that receives the user input information into the sandbox, and inputting the user according to the user in the sandbox The information runs the associated program. For example, for a suspicious URL, a new browser is opened in the sandbox to link to the website corresponding to the URL, and the browser program is the associated program that receives the URL input.
结合上述( 1 )、 ( 2 )、 ( 3 ), 无论用户要操作的目标对象是哪一种, 图 1 所示方法都可以自动判断其执行是否需要导入沙箱。本申请实施例提供的自 动判断方法包括但不限于: 判断所述待操作的目标对象是否符合预置的匹配 规则, 如果符合, 则所述待操作的目标对象的执行需要导入沙箱; 如果不符 合, 则不需要导入沙箱。 In combination with the above (1), (2), (3), no matter which kind of target object the user wants to operate, the method shown in Fig. 1 can automatically judge whether the execution needs to be imported into the sandbox. The automatic judgment method provided by the embodiment of the present application includes, but is not limited to: determining whether the target object to be operated meets a preset match. The rule, if it is met, the execution of the target object to be operated needs to be imported into the sandbox; if it is not, the sandbox does not need to be imported.
具体而言, 所述判断可以是: 查询预置的数据库, 将所述待操作的目标 对象与该数据库中的预置规则进行比较, 如果在该数据库中查询到, 则符合 匹配规则; 如果未查询到, 则不符合匹配规则。 即数据库中存储了各种判断 的规则, 或者直接存储了符合匹配规则的对象的特征, 如果在数据库中查询 到所述待操作的目标对象, 则表明该目标对象的执行需要导入沙箱。  Specifically, the determining may be: querying a preset database, comparing the target object to be operated with a preset rule in the database, and if queried in the database, matching the matching rule; If it is queried, it does not match the matching rule. That is, the rules for storing various judgments are stored in the database, or the characteristics of the objects that match the matching rules are directly stored. If the target object to be operated is queried in the database, it indicates that the execution of the target object needs to be imported into the sandbox.
针对不同的目标对象, 相对应的匹配规则也不同:  Corresponding matching rules are different for different target objects:
1 ) 当所述待操作的目标对象为目标程序和 /或目标文件时, 判断所述待 操作的目标对象是否符合预置的匹配规则, 包括: 判断所述目标对象的相关 信息是否符合预置的匹配规则;和 /或,判断所述目标对象的来源程序的相关 信息是否符合预置的匹配规则。  1) When the target object to be operated is the target program and/or the target file, determining whether the target object to be operated meets the preset matching rule comprises: determining whether the related information of the target object meets the preset a matching rule; and/or, determining whether the related information of the source program of the target object conforms to a preset matching rule.
其中, 所述目标对象的相关信息包括:  The related information of the target object includes:
目标对象的文件路径, 和 /或  The file path of the target object, and / or
目标对象的加密数据(如 MD5 ), 和 /或  Encrypted data of the target object (such as MD5), and / or
目标对象的文件属性(如产品名称、 版本信息、 签名发行者、 文件大小 等), 和 /或  File attributes of the target object (such as product name, version information, signature issuer, file size, etc.), and/or
目标对象的图标特征值(如图标哈希值), 和 /或  Icon feature values (such as icon hash values) of the target object, and / or
目标对象的文件特征值(如文件哈希值), 和 /或  The file feature value of the target object (such as a file hash value), and / or
目标对象的下载来源 (如从哪个网站下载);  The download source of the target object (such as which website to download from);
也即, 目标对象的相关信息包括上述信息中的至少一个。  That is, the related information of the target object includes at least one of the above information.
相应地, 所述来源程序的相关信息包括:  Correspondingly, the related information of the source program includes:
来源程序的文件路径, 和 /或  The file path of the source program, and / or
来源程序的加密数据(如 MD5 ), 和 /或  Encrypted data from the source program (such as MD5), and / or
来源程序的文件属性(如产品名称、 版本信息、 签名发行者、 文件大小 等), 和 /或  File attributes of the source program (such as product name, version information, signature issuer, file size, etc.), and/or
来源程序的图标特征值(如图标哈希值), 和 /或  The icon feature value of the source program (such as an icon hash), and / or
来源程序的文件特征值(如文件哈希值), 和 /或 来源程序的下载来源 (如从哪个网站下载); File feature values (such as file hash values) of the source program, and/or The source of the download of the source program (such as which website to download from);
也即, 来源程序的相关信息包括上述信息中的至少一个。  That is, the related information of the source program includes at least one of the above information.
基于上述目标对象的相关信息和来源程序的相关信息,所述匹配规则可 以是:  Based on the related information of the target object and related information of the source program, the matching rule may be:
例 1 : 对于网站上的色情播放器, 匹配规则如下:  Example 1: For pornographic players on the site, the matching rules are as follows:
来源程序为: 浏览器程序或资源管理器;  The source program is: a browser program or a resource manager;
目标的文件名: 包含 "日本 AV" 或 "情色" ...;  Target file name: Contains "Japan AV" or "Erotic" ...;
目标的文件图标 为特定播放器图标;  The file icon of the target is a specific player icon;
目标的文件大小 可以限制在一个范围, 比如: 1MB〜10MB;  The target file size can be limited to a range, such as: 1MB~10MB;
目标的文件描述 t匕: ¾口 xxxx成人播放器, xxxx专用播放器。  File description of the target t匕: 3⁄4 port xxxx adult player, xxxx dedicated player.
即符合上述规则的播放器即判定为色情播放器。  That is, the player that meets the above rules is judged to be a pornographic player.
例 2: 对于未知有风险的电子书, 匹配规则如下:  Example 2: For an unknown risk e-book, the matching rules are as follows:
目标文件名称:包含 "电子书" 的关键字;  Target file name: A keyword containing an "e-book";
目标文件图标的特征值包含: 电子书的图标的特征。 例 3: 对于未知有风险的序号生成器, 匹配规则如下:  The feature value of the target file icon contains: The characteristics of the icon of the e-book. Example 3: For an unknown risky sequencer generator, the matching rules are as follows:
目标文件名称: 有包含 "序号生成器"或 "keygen"或 "cracker"或 "破 解机" 的关键字;  Target file name: There are keywords that contain "serial number generator" or "keygen" or "cracker" or "debug machine";
目标文件图标的特征值包含: 序号生成器的图标的特征。  The feature values of the target file icon include: The characteristics of the icon of the sequencer generator.
对符合上述规则的序号生成器可判断为有风险的序号生成器。  The sequence number generator that meets the above rules can be judged as a risky sequence number generator.
除上述列举的几种匹配规则之外, 还可以有其他的多种规则, 如进行模 糊匹配或全文匹配, 优先进行文件名称的匹配, 等等, 视具体应用而定, 在 此不再 列举。  In addition to the above-mentioned several matching rules, there may be other rules, such as performing fuzzy matching or full-text matching, prioritizing file name matching, etc., depending on the specific application, and will not be enumerated here.
2 ) 当所述待操作的目标对象为用户输入的信息时, 判断所述待操作的 目标对象是否符合预置的匹配规则, 包括: 判断所述用户输入的信息是否符 合预置的匹配规则。  2) When the target object to be operated is information input by the user, determining whether the target object to be operated meets the preset matching rule comprises: determining whether the information input by the user conforms to a preset matching rule.
例如, 判断用户输入的网址是否为一些色情网站的网址, 或者判断用户 输入的关键词是否包含 "日本 AV" 或 "情色" 等信息。 通过用户输入的信 息,就可以预先判断出用户下一步要浏览的网站或要搜索的网页是否需要放 入沙箱。 For example, it is determined whether the URL input by the user is the URL of some pornographic websites, or whether the keyword input by the user contains information such as "Japanese AV" or "erotic". Letter entered by user The information can be pre-determined whether the website to be browsed by the user or the web page to be searched needs to be placed in a sandbox.
基于上述列举的各种匹配规则, 优选地, 在对目标对象进行上述匹配规 则的自动判断之前, 还可以优先进行如下的自动判断, 列举如下:  Based on the various matching rules listed above, preferably, before the automatic determination of the matching rule by the target object, the following automatic determination may be preferentially performed, as follows:
1 )在判断所述待操作的目标对象是否符合预置的匹配规则之前: 创建用于自动判断所述目标对象的执行的进程;  1) before determining whether the target object to be operated meets a preset matching rule: creating a process for automatically determining execution of the target object;
判断所述进程的父进程是否在沙箱内, 如果是, 则所述待操作的目标对 象的执行需要导入沙箱; 如果否, 则继续判断所述待操作的目标对象是否符 合预置的匹配规则。  Determining whether the parent process of the process is in the sandbox, if yes, the execution of the target object to be operated needs to be imported into the sandbox; if not, continuing to determine whether the target object to be operated meets the preset match rule.
即如果所述用于自动判断目标对象的执行的进程存在父进程, 则该用于 自动判断的进程称为子进程。 如果父进程已导入沙箱中, 说明该父进程不可 信, 那么该父进程调用的子进程也是不可信的, 所以子进程也应该导入沙箱 执行。  That is, if the process for automatically determining the execution of the target object has a parent process, the process for automatic judgment is called a child process. If the parent process has been imported into the sandbox, indicating that the parent process is untrustworthy, the child process called by the parent process is also untrusted, so the child process should also be imported into the sandbox for execution.
2) 判断所述待操作的目标对象是否符合预置的匹配规则之前: 判断用户是否选择将所述待操作的目标对象的执行导入沙箱, 如果是, 则所述待操作的目标对象的执行需要导入沙箱; 如果否, 则继续判断所述待 操作的目标对象是否符合预置的匹配规则。  2) determining whether the target object to be operated meets the preset matching rule: determining whether the user selects to import the execution of the target object to be operated into the sandbox, and if yes, performing the target object to be operated The sandbox needs to be imported; if not, it is further determined whether the target object to be operated meets the preset matching rule.
即用户可参与选择是否放入沙箱, 如果用户已主动选择放入沙箱, 则不 需要进行匹配规则的自动判断。  That is, the user can participate in selecting whether to put in the sandbox. If the user has actively selected to put in the sandbox, no automatic judgment of the matching rule is needed.
3) 判断所述待操作的目标对象是否符合预置的匹配规则之前: 判断所述待操作的目标对象是否在白名单中, 如果不在白名单中, 则所 述待操作的目标对象是未知对象,继续判断所述待操作的目标对象是否符合 预置的匹配规则; 如果在白名单中, 则不需要导入沙箱。  3) determining whether the target object to be operated meets the preset matching rule: determining whether the target object to be operated is in the white list, and if not in the white list, the target object to be operated is an unknown object And continuing to determine whether the target object to be operated meets the preset matching rule; if in the white list, it is not required to import the sandbox.
所述白名单中列出了比较安全的目标对象, 白名单中的目标对象可以不 导入沙箱而直接执行。 如果待操作的目标对象在所述白名单中, 则可以免除 匹配规则的自动判断。 如果待操作的目标对象不在所述白名单中, 表明所述 待操作的目标对象是未知对象, 还需要进一步进行自动判断。  The safer target objects are listed in the whitelist, and the target objects in the whitelist can be directly executed without being imported into the sandbox. If the target object to be operated is in the white list, the automatic judgment of the matching rule can be dispensed with. If the target object to be operated is not in the white list, indicating that the target object to be operated is an unknown object, further automatic judgment is required.
4) 判断所述待操作的目标对象是否符合预置的匹配规则之前: 判断所述待操作的目标对象是否在黑名单中, 如果在黑名单中, 则所述 待操作的目标对象的执行需要导入沙箱; 如果不在黑名单中, 则继续判断所 述待操作的目标对象是否符合预置的匹配规则。 4) Before judging whether the target object to be operated meets the preset matching rule: Determining whether the target object to be operated is in the blacklist, if in the blacklist, performing the execution of the target object to be operated needs to be imported into the sandbox; if not in the blacklist, continuing to determine the target to be operated Whether the object meets the preset matching rules.
所述黑名单中列出了一定不可信的目标对象, 如果待操作的目标对象在 所述黑名单中, 则直接导入沙箱执行; 但如果不在黑名单中, 也不能排除所 述待操作的目标对象一定安全, 因此还需要继续进行匹配规则的判断。  The target object that is not trusted is listed in the blacklist. If the target object to be operated is in the blacklist, it is directly imported into the sandbox; but if it is not in the blacklist, the pending operation cannot be excluded. The target object must be secure, so it is necessary to continue to judge the matching rules.
在实际应用中, 如果待操作的目标对象在黑名单中, 也可以直接进行拦 截而不放入沙箱, 这些都可以由用户进行选择。  In practical applications, if the target object to be operated is in the blacklist, it can also be directly intercepted without being placed in a sandbox, which can be selected by the user.
上述 1 )至 4 ) 可以单独在匹配规则的判断之前使用, 也可以组合起来 在匹配规则的判断之前使用。  The above 1) to 4) can be used separately before the judgment of the matching rule, or can be combined before use in the judgment of the matching rule.
基于上述内容, 在实际应用中, 本申请实施例还提供了以下两种实现方 式:  Based on the foregoing, in an actual application, the embodiment of the present application further provides the following two implementation manners:
第一种, 根据客户端的请求, 由服务器端自动判断所述待操作的目标对 象的执行是否需要导入沙箱。  First, according to the request of the client, the server automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox.
具体来说, 服务器端存储了自动判断的各种规则, 如果待操作的目标程 序或目标文件已经下载到了客户端, 在用户点击执行时, 客户端会将要进行 判断的请求发给服务器, 由服务器进行自动判断。 或者, 从服务器上下载目 标程序或目标文件之前, 服务器根据客户端的下载请求, 判断是否导入沙箱 下载。 或者, 在用户输入网址、 关键词时, 服务器根据用户的输入进行自动 判断。  Specifically, the server side stores various rules for automatic judgment. If the target program or target file to be operated has been downloaded to the client, when the user clicks and executes, the client sends a request for the judgment to the server, and the server sends the request to the server. Make an automatic judgment. Or, before downloading the target program or target file from the server, the server determines whether to import the sandbox download according to the download request of the client. Alternatively, when the user inputs a web address or a keyword, the server automatically judges based on the user's input.
第二种, 由客户端自动判断所述待操作的目标对象的执行是否需要导入 σ相。  Secondly, it is automatically determined by the client whether the execution of the target object to be operated needs to import the σ phase.
这种情况下, 客户端存储了自动判断的各种规则, 并定期从服务器上更 新, 客户端可在用户对目标对象进行操作之前进行自动判断。  In this case, the client stores various rules for automatic judgment and updates it regularly from the server. The client can automatically judge the user before the target object is operated.
综上所述, 上述实施例提供了一种智能判定的方法, 可以在用户对目标 对象执行操作之前, 自动判断所述目标对象的执行是否需要导入沙箱, 由此 带来以下优点:  In summary, the foregoing embodiment provides a method for intelligent determination, which can automatically determine whether the execution of the target object needs to be imported into a sandbox before the user performs an operation on the target object, thereby bringing the following advantages:
第一, 可以帮助用户决定哪些有风险的程序需要在沙箱内运行, 而不需 要用户自行判断; First, it can help users decide which risky programs need to run in the sandbox without The user must judge by himself;
第二, 避免将安全无风险的程序放置沙箱内运行导致用户数据的丟失; 第三, 无需用户的参与, 因此不影响用户的操作, 易用性高。 基于上述内容, 本申请还提供了图 2所示的优选实施例。  Secondly, avoiding the loss of user data by placing the safe and risk-free program in the sandbox; Thirdly, without the user's participation, the user's operation is not affected, and the ease of use is high. Based on the above, the present application also provides the preferred embodiment shown in FIG. 2.
参照图 2, 是本申请优选实施例所述一种利用沙箱进行防御的方法流程 图。  Referring to Fig. 2, there is shown a flow chart of a method for defending by using a sandbox according to a preferred embodiment of the present application.
以目标对象是目标程序为例, 目标对象是目标文件和用户输入信息的情 况与此类似, 不再详述。  Taking the target object as the target program as an example, the target object is similar to the target file and the user input information, and will not be described in detail.
整个待操作的目标程序自动进入沙箱的判断流程如下:  The judgment process of the entire target program to be operated automatically enters the sandbox is as follows:
步骤 201 , 创建进程;  Step 201, creating a process;
步骤 202, 判断父进程是否在沙箱内;  Step 202: Determine whether the parent process is in a sandbox;
如果父进程在沙箱内, 则跳转到步骤 208;  If the parent process is in the sandbox, then go to step 208;
如果父进程不在沙箱内, 则继续步骤 203。  If the parent process is not in the sandbox, proceed to step 203.
步骤 203 ,判断用户是否选择将所述待操作的目标程序的执行导入沙箱; 如果用户已选择将所述待操作的目标程序的执行导入沙箱, 则跳转到步 骤 208;  Step 203, determining whether the user chooses to import the execution of the target program to be operated into the sandbox; if the user has selected to import the execution of the target program to be operated into the sandbox, then the process proceeds to step 208;
如果用户未选择将所述待操作的目标程序的执行导入沙箱, 则继续步骤 If the user does not choose to import the execution of the target program to be operated into the sandbox, continue with the steps
204。 204.
步骤 204, 判断所述待操作的目标程序是否在白名单中;  Step 204: Determine whether the target program to be operated is in a white list.
如果在白名单中, 则跳转到步骤 209;  If it is in the white list, then go to step 209;
如果不在白名单中, 则是未知程序, 继续步骤 205。  If it is not in the white list, it is an unknown program, and step 205 is continued.
步骤 205 , 判断所述待操作的目标对象是否在黑名单中;  Step 205: Determine whether the target object to be operated is in a blacklist.
如果在黑名单中, 则跳转到步骤 208;  If it is in the blacklist, then go to step 208;
如果不在黑名单中, 则继续步骤 206。  If it is not in the blacklist, proceed to step 206.
步骤 206, 判断所述目标程序是否为特定类型的程序;  Step 206: Determine whether the target program is a specific type of program;
即根据各种匹配规则判断是否为特定类型的程序;  That is, it is judged whether it is a specific type of program according to various matching rules;
如果是, 则继续步骤 207; 如果不是, 则跳转到步骤 209。 If yes, proceed to step 207; If not, then go to step 209.
步骤 207, 弹出提示窗提示用户该目标程序将导入沙箱内执行; 如果用户选择导入, 则将该目标程序加入沙箱运行列表。  Step 207, a pop-up prompt window prompts the user that the target program is to be executed in the sandbox; if the user selects to import, the target program is added to the sandbox running list.
步骤 208, 开始将目标程序的文件 /注册表的写入、 删除、 修改等操作动 作导向沙箱中, 判断流程结束。  In step 208, the operation of writing, deleting, and modifying the file/registry of the target program is started in the sandbox, and the process ends.
步骤 209,将目标程序在一般环境下运行(非沙箱模式),判断流程结束。 需要说明的是, 上述步骤 203至步骤 205的顺序也可以更换, 但都需要 在步骤 206之前。  In step 209, the target program is run in a general environment (non-sandbox mode), and the process ends. It should be noted that the order of the foregoing steps 203 to 205 can also be replaced, but all need to be before step 206.
需要说明的是, 对于前述的各方法实施例, 为了简单描述, 故将其都表 述为一系列的动作组合, 但是本领域技术人员应该知悉, 本申请并不受所描 述的动作顺序的限制, 因为依据本申请, 某些步骤可以采用其他顺序或者同 时进行。 其次, 本领域技术人员也应该知悉, 说明书中所描述的实施例均属 于优选实施例, 所涉及的动作和模块并不一定是本申请所必须的。 基于上述内容, 本申请还提供了相应的装置实施例, 如图 3所示。  It should be noted that, for the foregoing method embodiments, for the sake of brevity, they are all described as a series of action combinations, but those skilled in the art should understand that the present application is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present application. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application. Based on the above, the present application also provides a corresponding device embodiment, as shown in FIG.
参照图 3 , 是本申请优选实施例所述一种利用沙箱进行防御的装置结构 图。  Referring to Fig. 3, there is shown a block diagram of a device for defense using a sandbox according to a preferred embodiment of the present application.
所述装置可以包括以下模块:  The device may include the following modules:
判断模块 31 ,设置为在对目标对象执行操作之前, 自动判断待操作的目 标对象的执行是否需要导入沙箱;  The judging module 31 is configured to automatically determine whether the execution of the target object to be operated needs to be imported into the sandbox before performing the operation on the target object;
执行模块 32, 设置为若判断模块 31的判断结果为需要导入沙箱, 则将 目标对象导入沙箱并在沙箱中完成该目标对象的执行; 如果否, 则可以在沙 箱外完成该目标对象的执行。  The execution module 32 is configured to: if the judgment result of the determination module 31 is that the sandbox needs to be imported, the target object is imported into the sandbox and the execution of the target object is completed in the sandbox; if not, the target can be completed outside the sandbox The execution of the object.
其中, 所述目标对象包括但不限于: 目标程序, 目标文件, 用户输入的 信息。  The target object includes but is not limited to: a target program, an object file, and information input by the user.
执行模块 32在将目标对象导入沙箱并在沙箱中完成该目标对象的执行 时:  Execution module 32, when the target object is imported into the sandbox and the execution of the target object is completed in the sandbox:
如果所述目标对象为目标程序, 则所述执行模块 32将该目标程序导入 沙箱, 在沙箱中完成该目标程序的运行; If the target object is a target program, the execution module 32 imports the target program Sandbox, complete the operation of the target program in the sandbox;
如果所述目标对象为目标文件, 则所述执行模块 32将执行该目标文件 的关联程序导入沙箱, 在沙箱中由所述关联程序运行该目标文件;  If the target object is a target file, the execution module 32 imports the associated program that executes the target file into the sandbox, and the target file is run by the associated program in the sandbox;
如果所述目标对象为用户输入的信息, 则所述执行模块 32将接收该用 户输入信息的关联程序导入沙箱,在沙箱中根据该用户输入信息运行所述关 联程序; 所述用户输入的信息包括网址和 /或关键词。  If the target object is information input by the user, the executing module 32 imports the associated program that receives the user input information into a sandbox, and runs the associated program according to the user input information in the sandbox; Information includes URLs and/or keywords.
优选地, 判断模块 31设置为: 如果所述目标对象为目标程序, 则所述 判断模块 31将所述目标程序下载到客户端后在客户端运行该目标程序之前, 自动判断待操作的所述目标对象的执行是否需要导入沙箱;和 /或,在下载所 述目标程序之前, 自动判断待操作的所述目标对象的执行是否需要导入沙 相;  Preferably, the determining module 31 is configured to: if the target object is a target program, the determining module 31 automatically downloads the target program to be downloaded to the client, and automatically determines the to-be-operated operation before the client runs the target program Whether the execution of the target object needs to be imported into the sandbox; and/or, before downloading the target program, automatically determining whether the execution of the target object to be operated needs to be imported into the sand phase;
如果所述目标对象为目标文件, 则所述判断模块 31将所述目标文件或 执行该目标文件的关联程序下载到客户端后在客户端运行该目标文件之前, 自动判断待操作的所述目标对象的执行是否需要导入沙箱;和 /或,在下载所 述目标文件或在线执行该目标文件的关联程序之前, 自动判断待操作的所述 目标对象的执行是否需要导入沙箱;  If the target object is the target file, the determining module 31 downloads the target file or the associated program that executes the target file to the client, and automatically determines the target to be operated before the client runs the target file. Whether the execution of the object needs to be imported into the sandbox; and/or, before downloading the target file or executing the associated program of the target file online, automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox;
如果所述目标对象为用户输入的信息, 则所述判断模块 31在用户输入 所述信息时, 自动判断待操作的所述目标对象的执行是否需要导入沙箱。  If the target object is information input by the user, the determining module 31 automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox when the user inputs the information.
进一步, 所述判断模块 31可以包括:  Further, the determining module 31 may include:
规则判断模块 311 , 设置为在对目标对象执行操作之前, 判断所述待操 作的目标对象是否符合预置的匹配规则, 如果符合, 则所述待操作的目标对 象的执行需要导入沙箱; 如果不符合, 则不需要导入沙箱。  The rule judging module 311 is configured to determine whether the target object to be operated meets a preset matching rule before performing an operation on the target object, and if yes, the execution of the target object to be operated needs to be imported into the sandbox; If it does not match, you do not need to import the sandbox.
进一步, 当所述待操作的目标对象为目标程序和 /或目标文件时, 所述 规则判断模块 311判断所述目标对象的相关信息是否符合预置的匹配规则; 和 /或, 判断所述目标对象的来源程序的相关信息是否符合预置的匹配规贝' J ; 其中, 所述目标对象的相关信息包括目标对象的文件路径、 和 /或加密 数据、和 /或文件属性、和 /或图标特征值、和 /或文件特征值、和 /或下载来源, 即, 上述信息中的至少一个; 所述来源程序的相关信息包括来源程序的文件 路径、和 /或加密数据、和 /或文件属性、和 /或图标特征值、和 /或文件特征值、 和 /或下载来源, 即, 上述信息中的至少一个; Further, when the target object to be operated is the target program and/or the target file, the rule determining module 311 determines whether the related information of the target object meets a preset matching rule; and/or determines the target Whether the information related to the source program of the object conforms to a preset matching rule 'J; wherein the related information of the target object includes a file path of the target object, and/or encrypted data, and/or file attributes, and/or icons The feature value, and/or the file feature value, and/or the download source, ie, at least one of the above information; the related information of the source program includes the file of the source program Path, and/or encrypted data, and/or file attributes, and/or icon feature values, and/or file feature values, and/or download sources, ie, at least one of the above information;
当所述待操作的目标对象为用户输入的信息时, 所述规则判断模块 311 判断所述用户输入的信息是否符合预置的匹配规则。  When the target object to be operated is information input by the user, the rule determining module 311 determines whether the information input by the user meets a preset matching rule.
优选地, 所述判断模块 31还可以包括:  Preferably, the determining module 31 may further include:
父进程判断模块 312, 设置为在规则判断模块判 311断所述待操作的目 标对象是否符合预置的匹配规则之前,创建用于自动判断所述目标对象的执 行的进程后, 判断所述进程的父进程是否在沙箱内, 如果是, 则所述待操作 的目标对象的执行需要导入沙箱, 触发所述执行模块 32将所述目标对象导 入所述沙箱并在所述沙箱中完成该目标对象的执行; 如果否, 则触发所述规 则判断模块 311继续判断所述待操作的目标对象是否符合预置的匹配规则。  The parent process judging module 312 is configured to: after the rule judging module judges 311 whether the target object to be operated meets the preset matching rule, and after creating a process for automatically determining the execution of the target object, determining the process Whether the parent process is in the sandbox, if yes, the execution of the target object to be operated needs to be imported into the sandbox, triggering the execution module 32 to import the target object into the sandbox and in the sandbox The execution of the target object is completed; if not, the rule determination module 311 is triggered to continue to determine whether the target object to be operated meets a preset matching rule.
优选地, 所述判断模块 31还可以包括:  Preferably, the determining module 31 may further include:
用户选择判断模块 313 , 设置为判断用户是否选择将所述待操作的目标 对象的执行导入沙箱, 如果是, 则所述待操作的目标对象的执行需要导入沙 箱, 触发所述执行模块 32将所述目标对象导入所述沙箱并在所述沙箱中完 成该目标对象的执行; 如果否, 则触发所述规则判断模块 311继续判断所述 待操作的目标对象是否符合预置的匹配规则。  The user selection judging module 313 is configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox. If yes, the execution of the target object to be operated needs to be imported into the sandbox, and the execution module 32 is triggered. Importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, triggering the rule determination module 311 to continue to determine whether the target object to be operated meets a preset match rule.
优选地, 所述判断模块 31还可以包括:  Preferably, the determining module 31 may further include:
白名单判断模块 314, 设置为判断所述待操作的目标对象是否在白名单 中, 如果不在白名单中, 则所述待操作的目标对象是未知对象, 触发所述规 则判断模块 311继续判断所述待操作的目标对象是否符合预置的匹配规则; 如果在白名单中, 则不需要导入沙箱。  The whitelist determination module 314 is configured to determine whether the target object to be operated is in the whitelist. If the target object to be operated is not in the whitelist, the target object to be operated is an unknown object, and the rule determination module 311 is triggered to continue to determine the location. Whether the target object of the operation is in compliance with the preset matching rule; if it is in the white list, it is not necessary to import the sandbox.
优选地, 所述判断模块 31还可以包括:  Preferably, the determining module 31 may further include:
黑名单判断模块 315 , 设置为判断所述待操作的目标对象是否在黑名单 中, 如果在黑名单中, 则所述待操作的目标对象的执行需要导入沙箱, 触发 所述执行模块 32将所述目标对象导入所述沙箱并在所述沙箱中完成该目标 对象的执行; 如果不在黑名单中, 则触发所述规则判断模块 311继续判断所 述待操作的目标对象是否符合预置的匹配规则。 优选地, 所述装置还可以包括: The blacklist determination module 315 is configured to determine whether the target object to be operated is in the blacklist. If the target object to be operated is in the blacklist, the execution of the target object to be operated needs to be imported into the sandbox, and the execution module 32 is triggered. The target object is imported into the sandbox and the execution of the target object is completed in the sandbox; if not in the blacklist, the rule determination module 311 is triggered to continue to determine whether the target object to be operated meets the preset Matching rules. Preferably, the device may further include:
提示模块 33 , 设置为在所述执行模块 32确定需要导入沙箱之后, 将所 述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行之前, 弹出 提示窗提示用户是否导入沙箱; 并根据所述用户的肯定输入调用所述执行模 块 32将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行。  The prompting module 33 is configured to: after the execution module 32 determines that the sandbox needs to be imported, import the target object into the sandbox and complete the execution of the target object in the sandbox, and pop up a prompt window to prompt the user whether Importing a sandbox; and invoking the execution module 32 to import the target object into the sandbox according to the user's positive input and complete execution of the target object in the sandbox.
对于装置实施例而言, 由于其与方法实施例基本相似, 所以描述的比较 简单, 相关之处参见方法实施例的部分说明即可。  For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
上述利用沙箱技术进行防御的装置可以部署在服务器端, 也可以部署在 客户端, 在用户对目标对象执行操作之前, 自动判断所述目标对象的执行是 否需要导入沙箱, 帮助用户决定哪些有风险的程序需要在沙箱内运行, 避免 将安全无风险的程序放置沙箱内运行导致用户数据的丟失, 而且由于无需用 户的参与, 因此不影响用户的操作, 易用性高。  The above-mentioned device that uses the sandbox technology for defense can be deployed on the server side or on the client side. Before the user performs an operation on the target object, it is automatically determined whether the execution of the target object needs to be imported into the sandbox, and the user is determined to determine which The risk program needs to be run in the sandbox to avoid the loss of user data caused by placing the safe and risk-free program in the sandbox, and because it does not require user participation, it does not affect the user's operation and is easy to use.
基于上述的利用沙箱技术进行防御的装置, 本申请实施例还提供了一种 安全浏览器, 该浏览器包括如上述图 3实施例所述的用沙箱技术进行系统防 御的装置, 并可采用图 1或图 2所述的方法自动判断待操作的目标对象的执 行是否需要导入沙箱。 具体描述可参见上述图 1、 图 2和图 3的相关内容, 不再伴述。  The device of the present application further provides a security browser, and the browser includes a device for performing system defense by using a sandbox technology as described in the foregoing embodiment of FIG. 3, and The method described in FIG. 1 or FIG. 2 is used to automatically determine whether the execution of the target object to be operated needs to be imported into the sandbox. For details, refer to the related contents of FIG. 1, FIG. 2 and FIG. 3 above, and no further description is provided.
另外, 基于本申请的利用沙箱技术进行防御的方法, 本申请实施例还提 供了一种在其上记录有执行本申请的利用沙箱技术进行防御的方法的程序 的计算机可读记录介质。 所述计算机可读记录介质包括用于以计算机可读的 形式存储或传送信息的任何机制。 例如, 机器可读介质包括只读存储器 ( ROM ), 随机存取存储器( RAM )、 磁盘存储介质、 光存储介质、 闪速存 储介质、 电、 光、 声或其他形式的传播信号等(例如, 载波、 红外信号、 数 据信号等)。 本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明 的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见 即可。 最后, 还需要说明的是, 在本文中, 诸如第一和第二等之类的关系术语 仅仅用来将一个实体或者操作与另一个实体或操作区分开来, 而不一定要求 或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。 In addition, based on the method for defending using the sandbox technology of the present application, the embodiment of the present application further provides a computer readable recording medium on which a program for performing the method for defending using the sandbox technology of the present application is recorded. The computer readable recording medium includes any mechanism for storing or transmitting information in a form readable by a computer. For example, a machine-readable medium includes a read only memory (ROM), a random access memory (RAM), a magnetic disk storage medium, an optical storage medium, a flash storage medium, an electrical, optical, acoustic, or other form of propagated signal, etc. (eg, Carrier, infrared signal, data signal, etc.). The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments can be referred to each other. Finally, it should also be noted that in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. There is any such actual relationship or order between operations.
而且,上文中的 "和 /或"表示本文既包含了 "和"的关系,也包含了 "或" 的关系, 其中: 如果方案 A与方案 B是 "和" 的关系, 则表示某实施例中 可以同时包括方案 A和方案 B; 如果方案 A与方案 B是 "或" 的关系, 则 表示某实施例中可以单独包括方案 A, 或者单独包括方案 B。  Moreover, "and/or" in the above means that both the relationship of "and" and the relationship of "or" are included in the text, wherein: if the relationship between the scheme A and the scheme B is "and", it indicates an embodiment. The scheme A and the scheme B may be included at the same time; if the relationship between the scheme A and the scheme B is "or", it means that the scheme A may be separately included in an embodiment, or the scheme B may be separately included.
以上对本申请所提供的一种利用沙箱进行防御的方法、装置及安全浏览 器, 进行了详细介绍, 本文中应用了具体个例对本申请的原理及实施方式进 行了阐述, 以上实施例的说明只是用于帮助理解本申请的方法及其核心思 想; 同时, 对于本领域的一般技术人员, 依据本申请的思想, 在具体实施方 式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为对本 申请的限制。  The method, the device and the security browser for defending against the sandbox provided by the present application are described in detail above. The principles and implementation manners of the present application are described in the specific examples, and the description of the above embodiments is described. It is only used to help understand the method of the present application and its core ideas; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in specific implementation manners and application scopes. The contents of this specification are not to be construed as limiting the application.

Claims

权 利 要 求 书 Claim
1、 一种利用沙箱进行防御的方法, 包括: 1. A method of using a sandbox for defense, including:
在对目标对象执行操作之前, 自动判断待操作的所述目标对象的执行是 否需要导入沙箱;  Before performing an operation on the target object, automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox;
若确定需要导入沙箱,则将所述目标对象导入所述沙箱并在所述沙箱中 完成该目标对象的执行。  If it is determined that a sandbox needs to be imported, the target object is imported into the sandbox and execution of the target object is completed in the sandbox.
2、 根据权利要求 1 所述的方法, 其中, 将所述目标对象导入所述沙箱 并在所述沙箱中完成该目标对象的执行的步骤包括:  2. The method according to claim 1, wherein the step of importing the target object into the sandbox and completing execution of the target object in the sandbox comprises:
如果所述目标对象为目标程序, 则将该目标程序导入沙箱, 在沙箱中完 成该目标程序的运行;  If the target object is a target program, the target program is imported into a sandbox to complete the operation of the target program in the sandbox;
或者, 如果所述目标对象为目标文件, 则将执行该目标文件的关联程序 导入沙箱, 在沙箱中由所述关联程序运行该目标文件;  Or, if the target object is an object file, import the associated program that executes the target file into a sandbox, and the target file is run by the associated program in a sandbox;
或者, 如果所述目标对象为用户输入的信息, 则将接收该用户输入信息 的关联程序导入沙箱, 在沙箱中根据该用户输入信息运行所述关联程序; 所 述用户输入的信息包括网址和 /或关键词。  Or if the target object is the information input by the user, importing the associated program that receives the user input information into the sandbox, and running the associated program according to the user input information in the sandbox; the information input by the user includes the URL And / or keywords.
3、 根据权利要求 2所述的方法, 其中, 所述在对目标对象执行操作之 前, 自动判断待操作的所述目标对象的执行是否需要导入沙箱的步骤包括: 如果所述目标对象为目标程序, 则将所述目标程序下载到客户端后, 在 客户端运行该目标程序之前, 自动判断待操作的所述目标对象的执行是否需 要导入沙箱; 和 /或, 在下载所述目标程序之前, 自动判断待操作的所述目标 对象的执行是否需要导入沙箱;  3. The method according to claim 2, wherein the step of automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object comprises: if the target object is a target a program, after downloading the target program to the client, automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before the client runs the target program; and/or downloading the target program Before, it is automatically determined whether the execution of the target object to be operated needs to be imported into a sandbox;
或者, 如果所述目标对象为目标文件, 则将所述目标文件或执行该目标 文件的关联程序下载到客户端后, 在客户端运行该目标文件之前, 自动判断 待操作的所述目标对象的执行是否需要导入沙箱;和 /或,在下载所述目标文 件或在线执行该目标文件的关联程序之前, 自动判断待操作的所述目标对象 的执行是否需要导入沙箱;  Or, if the target object is a target file, after downloading the target file or the associated program that executes the target file to the client, automatically determining the target object to be operated before the client runs the target file Whether it is necessary to import a sandbox; and/or, before downloading the target file or executing an associated program of the target file online, automatically determining whether execution of the target object to be operated needs to be imported into a sandbox;
或者,如果所述目标对象为用户输入的信息,则在用户输入所述信息时, 自动判断待操作的所述目标对象的执行是否需要导入沙箱。  Alternatively, if the target object is information input by the user, when the user inputs the information, it is automatically determined whether the execution of the target object to be operated needs to be imported into the sandbox.
4、 根据权利要求 1至 3任一所述的方法, 其中, 所述自动判断待操作 的所述目标对象的执行是否需要导入沙箱的步骤包括: The method according to any one of claims 1 to 3, wherein the automatic determination is to be operated The steps of whether the execution of the target object needs to be imported into the sandbox include:
判断所述待操作的目标对象是否符合预置的匹配规则, 如果符合, 则所 述待操作的目标对象的执行需要导入沙箱;如果不符合,则不需要导入沙箱。  It is determined whether the target object to be operated meets the preset matching rule. If it is met, the execution of the target object to be operated needs to be imported into the sandbox; if not, the sandbox is not required to be imported.
5、 根据权利要求 4所述的方法, 其中, 在判断所述待操作的目标对象 是否符合预置的匹配规则的步骤之前, 还包括: 创建用于自动判断所述目标 对象的执行的进程;  The method according to claim 4, further comprising: before the step of determining whether the target object to be operated meets a preset matching rule, creating: a process for automatically determining execution of the target object;
判断所述进程的父进程是否在沙箱内, 如果是, 则执行所述将所述目标 对象导入所述沙箱并在所述沙箱中完成该目标对象的执行的步骤; 如果否, 则继续所述判断所述待操作的目标对象是否符合预置的匹配规则的步骤。  Determining whether the parent process of the process is in a sandbox, and if so, performing the step of importing the target object into the sandbox and completing execution of the target object in the sandbox; if not, The step of determining whether the target object to be operated conforms to a preset matching rule is continued.
6、 根据权利要求 4所述的方法, 其中, 在所述判断所述待操作的目标 对象是否符合预置的匹配规则的步骤之前, 还包括:  The method according to claim 4, wherein before the step of determining whether the target object to be operated meets a preset matching rule, the method further includes:
判断用户是否选择将所述待操作的目标对象的执行导入沙箱, 如果是, 则执行所述将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象 的执行的步骤; 如果否, 则继续所述判断所述待操作的目标对象是否符合预 置的匹配规则的步骤。  Determining whether the user chooses to import the execution of the target object to be operated into the sandbox, and if so, performing the step of importing the target object into the sandbox and completing execution of the target object in the sandbox If no, the step of determining whether the target object to be operated meets the preset matching rule is continued.
7、 根据权利要求 4所述的方法, 其中, 在判断所述待操作的目标对象 是否符合预置的匹配规则的步骤之前, 还包括:  The method according to claim 4, wherein before the step of determining whether the target object to be operated meets a preset matching rule, the method further includes:
判断所述待操作的目标对象是否在白名单中, 如果不在白名单中, 则所 述待操作的目标对象是未知对象,继续所述判断所述待操作的目标对象是否 符合预置的匹配规则的步骤; 如果在白名单中, 则不需要将所述待操作的目 标对象导入沙箱。  Determining whether the target object to be operated is in the whitelist, if not in the whitelist, the target object to be operated is an unknown object, and continuing to determine whether the target object to be operated meets a preset matching rule Step; if in the white list, the target object to be operated does not need to be imported into the sandbox.
8、 根据权利要求 4所述的方法, 其中, 在判断所述待操作的目标对象 是否符合预置的匹配规则的步骤之前, 还包括:  The method according to claim 4, wherein before the step of determining whether the target object to be operated meets a preset matching rule, the method further includes:
判断所述待操作的目标对象是否在黑名单中, 如果在黑名单中, 则执行 所述将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行 的步骤; 如果不在黑名单中, 则继续所述判断所述待操作的目标对象是否符 合预置的匹配规则的步骤。  Determining whether the target object to be operated is in a blacklist, and if in the blacklist, performing the step of importing the target object into the sandbox and completing execution of the target object in the sandbox; If it is not in the blacklist, the step of determining whether the target object to be operated meets the preset matching rule is continued.
9、 根据权利要求 4所述的方法, 其中, 判断所述待操作的目标对象是 否符合预置的匹配规则的步骤包括: 9. The method according to claim 4, wherein the target object to be operated is determined to be The steps for meeting the preset matching rules include:
查询预置的数据库,将所述待操作的目标对象与该数据库中的预置规则 进行比较, 如果在该数据库中查询到, 则符合匹配规则; 如果未查询到, 则 不符合匹配规则。  The preset database is queried, and the target object to be operated is compared with the preset rule in the database. If the query is found in the database, the matching rule is met; if not, the matching rule is not met.
10、 根据权利要求 4所述的方法, 其中, 当所述待操作的目标对象为目 标程序和 /或目标文件时,所述判断所述待操作的目标对象是否符合预置的匹 配规则的步骤包括:  The method according to claim 4, wherein, when the target object to be operated is a target program and/or a target file, the step of determining whether the target object to be operated conforms to a preset matching rule Includes:
根据所述目标对象的信息, 判断所述目标对象是否符合预置的匹配规 则;  Determining, according to the information of the target object, whether the target object meets a preset matching rule;
和 /或, 根据所述目标对象的来源程序的信息, 判断所述目标对象是否 符合预置的匹配规则。  And/or, according to the information of the source program of the target object, determining whether the target object meets a preset matching rule.
11、 根据权利要求 10所述的方法, 其中,  11. The method according to claim 10, wherein
所述目标对象的信息包括以下至少之一: 目标对象的文件路径、 加密数 据、 文件属性、 图标特征值、 文件特征值、 下载来源;  The information of the target object includes at least one of the following: a file path of the target object, an encrypted data, a file attribute, an icon feature value, a file feature value, and a download source;
所述来源程序的信息包括以下至少之一: 来源程序的文件路径、 加密数 据、 文件属性、 图标特征值、 文件特征值、 下载来源。  The information of the source program includes at least one of the following: a file path of the source program, encrypted data, file attributes, icon feature values, file feature values, and download sources.
12、 根据权利要求 4所述的方法, 其中, 当所述待操作的目标对象为用 户输入的信息时, 所述判断所述待操作的目标对象是否符合预置的匹配规则 的步骤包括:  The method according to claim 4, wherein, when the target object to be operated is the information input by the user, the step of determining whether the target object to be operated meets the preset matching rule comprises:
判断所述用户输入的信息是否符合预置的匹配规则。  It is determined whether the information input by the user meets a preset matching rule.
13、 根据权利要求 1至 3任一所述的方法, 其中, 所述自动判断待操作 的所述目标对象的执行是否需要导入沙箱的步骤包括:  The method according to any one of claims 1 to 3, wherein the step of automatically determining whether the execution of the target object to be operated needs to be imported into the sandbox comprises:
根据客户端的请求, 由服务器端自动判断所述待操作的目标对象的执行 是否需要导入沙箱;  According to the request of the client, the server automatically determines whether the execution of the target object to be operated needs to be imported into the sandbox;
和 /或, 由客户端自动判断所述待操作的目标对象的执行是否需要导入 σ相。  And/or, the client automatically determines whether the execution of the target object to be operated needs to import the sigma phase.
14、 根据权利要求 1至 3任一所述的方法, 其中, 在确定需要导入沙箱 之后,将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行 之前, 还包括: 14. The method according to any one of claims 1 to 3, wherein after determining that a sandbox needs to be imported, the target object is imported into the sandbox and execution of the target object is completed in the sandbox Previously, it also included:
弹出提示窗提示用户是否导入沙箱;根据所述用户的肯定输入执行所述 将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行的步 骤。  A pop-up prompt window prompts the user whether to import the sandbox; and the step of importing the target object into the sandbox and performing the execution of the target object in the sandbox is performed according to the positive input of the user.
15、 一种利用沙箱进行防御的装置, 包括: 15. A device for using a sandbox for defense, comprising:
判断模块, 设置为在对目标对象执行操作之前, 自动判断待操作的所述 目标对象的执行是否需要导入沙箱;  a judging module, configured to automatically determine whether execution of the target object to be operated needs to be imported into a sandbox before performing an operation on the target object;
执行模块, 设置为若所述判断模块的判断结果为需要导入沙箱, 则将所 述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行。  The execution module is configured to: if the judgment result of the determination module is that the sandbox needs to be imported, import the target object into the sandbox and complete execution of the target object in the sandbox.
16、 根据权利要求 15所述的装置, 其中, 所述执行模块在将所述目标 对象导入所述沙箱并在所述沙箱中完成该目标对象的执行时,  16. The apparatus according to claim 15, wherein the execution module, when the target object is imported into the sandbox and the execution of the target object is completed in the sandbox,
如果所述目标对象为目标程序, 则将该目标程序导入沙箱, 在沙箱中完 成该目标程序的运行;  If the target object is a target program, the target program is imported into a sandbox to complete the operation of the target program in the sandbox;
或者, 如果所述目标对象为目标文件, 则将执行该目标文件的关联程序 导入沙箱, 在沙箱中由所述关联程序运行该目标文件;  Or, if the target object is an object file, import the associated program that executes the target file into a sandbox, and the target file is run by the associated program in a sandbox;
或者, 如果所述目标对象为用户输入的信息, 则将接收该用户输入信息 的关联程序导入沙箱, 在沙箱中根据该用户输入信息运行所述关联程序; 所 述用户输入的信息包括网址和 /或关键词。  Or if the target object is the information input by the user, importing the associated program that receives the user input information into the sandbox, and running the associated program according to the user input information in the sandbox; the information input by the user includes the URL And / or keywords.
17、 根据权利要求 16所述的装置, 其中, 所述判断模块, 设置为: 如果所述目标对象为目标程序, 则将所述目标程序下载到客户端后, 在 客户端运行该目标程序之前, 自动判断待操作的所述目标对象的执行是否需 要导入沙箱; 和 /或, 在下载所述目标程序之前, 自动判断待操作的所述目标 对象的执行是否需要导入沙箱;  The device according to claim 16, wherein the determining module is configured to: if the target object is a target program, download the target program to the client, before the client runs the target program Automatically determining whether execution of the target object to be operated needs to be imported into a sandbox; and/or automatically determining whether execution of the target object to be operated needs to be imported into a sandbox before downloading the target program;
或者, 如果所述目标对象为目标文件, 则将所述目标文件或执行该目标 文件的关联程序下载到客户端后, 在客户端运行该目标文件之前, 自动判断 待操作的所述目标对象的执行是否需要导入沙箱;和 /或,在下载所述目标文 件或在线执行该目标文件的关联程序之前, 自动判断待操作的所述目标对象 的执行是否需要导入沙箱; 或者,如果所述目标对象为用户输入的信息,则在用户输入所述信息时, 自动判断待操作的所述目标对象的执行是否需要导入沙箱。 Or, if the target object is a target file, after downloading the target file or the associated program that executes the target file to the client, automatically determining the target object to be operated before the client runs the target file Whether it is necessary to import a sandbox; and/or, before downloading the target file or executing an associated program of the target file online, automatically determining whether execution of the target object to be operated needs to be imported into a sandbox; Alternatively, if the target object is information input by the user, when the user inputs the information, it is automatically determined whether the execution of the target object to be operated needs to be imported into the sandbox.
18、根据权利要求 15至 17任一所述的装置,其中,所述判断模块包括: 规则判断模块, 设置为在对目标对象执行操作之前, 判断所述待操作的 目标对象是否符合预置的匹配规则, 如果符合, 则所述待操作的目标对象的 执行需要导入沙箱; 如果不符合, 则不需要导入沙箱。  The apparatus according to any one of claims 15 to 17, wherein the judging module comprises: a rule judging module, configured to determine whether the target object to be operated conforms to a preset before performing an operation on the target object Matching rules, if they are met, the execution of the target object to be operated needs to be imported into the sandbox; if not, the sandbox does not need to be imported.
19、 根据权利要求 18所述的装置, 其中, 所述判断模块还包括: 父进程判断模块,设置为在所述规则判断模块判断所述待操作的目标对 象是否符合预置的匹配规则之前,创建用于自动判断所述目标对象的执行的 进程后, 判断所述进程的父进程是否在沙箱内, 如果是, 则触发所述执行模 块将所述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行; 如 果否, 则触发所述规则判断模块继续判断所述待操作的目标对象是否符合预 置的匹配规则。  The device according to claim 18, wherein the determining module further comprises: a parent process determining module, configured to: before the rule determining module determines whether the target object to be operated meets a preset matching rule, After creating a process for automatically determining the execution of the target object, determining whether the parent process of the process is in a sandbox, and if so, triggering the execution module to import the target object into the sandbox and Executing execution of the target object in the sandbox; if not, triggering the rule determination module to continue to determine whether the target object to be operated meets a preset matching rule.
20、 根据权利要求 18所述的装置, 其中, 所述判断模块还包括: 用户选择判断模块,设置为判断用户是否选择将所述待操作的目标对象 的执行导入沙箱, 如果是, 则触发所述执行模块将所述目标对象导入所述沙 箱并在所述沙箱中完成该目标对象的执行; 如果否, 则触发所述规则判断模 块继续判断所述待操作的目标对象是否符合预置的匹配规则。  The device according to claim 18, wherein the determining module further comprises: a user selection determining module, configured to determine whether the user selects to import the execution of the target object to be operated into the sandbox, and if so, trigger The execution module imports the target object into the sandbox and completes execution of the target object in the sandbox; if not, triggers the rule determination module to continue to determine whether the target object to be operated meets the pre-target Match rules.
21、 根据权利要求 18所述的装置, 其中, 所述判断模块还包括: 白名单判断模块, 设置为判断所述待操作的目标对象是否在白名单中, 如果不在白名单中, 则所述待操作的目标对象是未知对象, 触发所述规则判 断模块继续判断所述待操作的目标对象是否符合预置的匹配规则; 如果在白 名单中, 则不需要将所述待操作的目标对象导入沙箱。  The device of claim 18, wherein the determining module further comprises: a whitelist determining module, configured to determine whether the target object to be operated is in a whitelist, and if not in the whitelist, The target object to be operated is an unknown object, and the rule determination module is triggered to continue to determine whether the target object to be operated meets a preset matching rule; if in the white list, the target object to be operated does not need to be imported. sandbox.
22、 根据权利要求 18所述的装置, 其中, 所述判断模块还包括: 黑名单判断模块, 设置为判断所述待操作的目标对象是否在黑名单中, 如果在黑名单中, 则触发所述执行模块将所述目标对象导入所述沙箱并在所 述沙箱中完成该目标对象的执行; 如果不在黑名单中, 则触发所述规则判断 模块继续判断所述待操作的目标对象是否符合预置的匹配规则。 The device of claim 18, wherein the determining module further comprises: a blacklist determining module, configured to determine whether the target object to be operated is in a blacklist, and if in the blacklist, triggering The execution module imports the target object into the sandbox and completes execution of the target object in the sandbox; if not in the blacklist, triggering the rule determination module to continue to determine whether the target object to be operated is Match the preset matching rules.
23、 根据权利要求 18所述的装置, 其中, 所述规则判断模块设置为: 当所述待操作的目标对象为目标程序和 /或目标文件时, 根据所述目标 对象的信息, 判断所述目标对象是否符合预置的匹配规则; 和 /或, 根据所述 目标对象的来源程序的信息, 判断所述目标对象是否符合预置的匹配规则; 其中, 所述目标对象的信息包括以下至少之一: 目标对象的文件路径、 加密数据、 文件属性、 图标特征值、 文件特征值、 下载来源; 所述来源程序 的信息包括以下至少之一: 来源程序的文件路径、 加密数据、 文件属性、 图 标特征值、 文件特征值、 下载来源; The device according to claim 18, wherein the rule determining module is configured to: when the target object to be operated is a target program and/or a target file, determine the information according to the information of the target object Whether the target object meets the preset matching rule; and/or, according to the information of the source program of the target object, determining whether the target object meets a preset matching rule; wherein, the information of the target object includes at least the following a: a file path of the target object, encrypted data, file attributes, icon feature values, file feature values, download sources; the source program information includes at least one of the following: a file path of the source program, encrypted data, file attributes, icons Feature value, file feature value, download source;
当所述待操作的目标对象为用户输入的信息时,判断所述用户输入的信 息是否符合预置的匹配规则。  When the target object to be operated is information input by the user, it is determined whether the information input by the user conforms to a preset matching rule.
24、 根据权利要求 15至 17任一所述的装置, 其中, 所述装置还包括: 提示模块, 设置为在所述执行模块确定需要导入沙箱之后, 将所述目标 对象导入所述沙箱并在所述沙箱中完成该目标对象的执行之前, 弹出提示窗 提示用户是否导入沙箱; 并根据所述用户的肯定输入调用所述执行模块将所 述目标对象导入所述沙箱并在所述沙箱中完成该目标对象的执行。  The device according to any one of claims 15 to 17, wherein the device further comprises: a prompting module, configured to: after the execution module determines that the sandbox needs to be imported, import the target object into the sandbox And before the execution of the target object is completed in the sandbox, a pop-up prompt window prompts the user whether to import the sandbox; and invokes the execution module according to the positive input of the user to import the target object into the sandbox and The execution of the target object is completed in the sandbox.
25、 一种安全浏览器, 包括如上述权利要求 15至 24任一权利要求所述 的利用沙箱进行防御的装置。 A security browser comprising the apparatus for defense using a sandbox as claimed in any of claims 15 to 24.
26、 一种在其上记录有用于执行权利要求 1至 14任一权利要求所述方 法的计算机可读记录介质。  A computer readable recording medium having recorded thereon a method for performing the method of any one of claims 1 to 14.
27、 一种安全浏览器, 用于执行权利要求 1至 14任一权利要求所述的 利用沙箱进行防御的方法。  27. A secure browser for performing the method of using a sandbox for defense as claimed in any one of claims 1 to 14.
PCT/CN2012/074241 2011-04-21 2012-04-18 Method and device for defense by using sandbox, and secure browser WO2012142943A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110100859.6 2011-04-21
CN201110100859.6A CN102184356B (en) 2011-04-21 2011-04-21 Method, device and safety browser by utilizing sandbox technology to defend

Publications (1)

Publication Number Publication Date
WO2012142943A1 true WO2012142943A1 (en) 2012-10-26

Family

ID=44570531

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/074241 WO2012142943A1 (en) 2011-04-21 2012-04-18 Method and device for defense by using sandbox, and secure browser

Country Status (2)

Country Link
CN (1) CN102184356B (en)
WO (1) WO2012142943A1 (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184356B (en) * 2011-04-21 2014-04-02 奇智软件(北京)有限公司 Method, device and safety browser by utilizing sandbox technology to defend
CN103067246B (en) * 2011-10-18 2015-11-25 阿里巴巴集团控股有限公司 The method that the file received based on instant messaging business is processed and device
CN104021168B (en) * 2011-12-28 2017-06-16 北京奇虎科技有限公司 A kind of method and device for browsing webpage
CN102436508B (en) * 2011-12-28 2013-08-14 奇智软件(北京)有限公司 Method and device for browsing webpage based on sandbox technique
CN104021167B (en) * 2011-12-28 2017-06-16 北京奇虎科技有限公司 A kind of method and device for browsing webpage
CN102592086B (en) * 2011-12-28 2015-04-15 奇智软件(北京)有限公司 Method and device for browsing webpages in sandbox
CN102662797A (en) * 2012-04-11 2012-09-12 无锡华御信息技术有限公司 Virtualization-based software backup method
CN103377120B (en) * 2012-04-24 2017-06-30 财付通支付科技有限公司 A kind of applied program testing method and device
CN102737203B (en) * 2012-07-13 2015-10-21 珠海市君天电子科技有限公司 Virus defense method and system based on program parent-child gene relationship
CN103268442B (en) * 2013-05-14 2015-12-23 北京奇虎科技有限公司 A kind of method and apparatus realizing secure access video website
CN104036183B (en) * 2013-05-17 2015-04-08 腾讯科技(深圳)有限公司 Method and system for installing software in sandbox
CN104134034B (en) * 2013-06-13 2015-10-21 腾讯科技(深圳)有限公司 Control the method and apparatus that application runs
CN103648049B (en) * 2013-12-20 2017-01-18 北京奇虎科技有限公司 Method and device for achieving safe video play
CN103763316B (en) * 2014-01-16 2016-10-26 中国联合网络通信集团有限公司 The method of a kind of web page contents filtration and Provider Equipment
CN103970574B (en) * 2014-05-22 2017-07-14 北京奇虎科技有限公司 The operation method and device of office programs, computer system
CN105338017A (en) * 2014-06-30 2016-02-17 北京新媒传信科技有限公司 WEB defense method and system
CN104239781A (en) * 2014-09-01 2014-12-24 百度在线网络技术(北京)有限公司 Method and unit for preventing processes from being injected
CN105447382A (en) * 2014-09-28 2016-03-30 北京云巢动脉科技有限公司 Sandbox based software registry redirection method and system
CN104375494B (en) * 2014-12-02 2017-02-22 北京奇虎科技有限公司 Security sandbox construction method and security sandbox construction device
CN104615946A (en) * 2015-02-13 2015-05-13 成都卫士通信息安全技术有限公司 Virtual encrypted disk data protection system and method based on intelligent mobile terminals
CN104866373B (en) * 2015-05-20 2019-01-18 南京国电南自电网自动化有限公司 Real time operating system emulation mode based on Cross Platform Technology
CN106682501A (en) * 2016-12-20 2017-05-17 深圳市九洲电器有限公司 Set-top-box application program management method and system
CN108108619B (en) * 2017-12-29 2021-08-31 安天科技集团股份有限公司 File detection method, system and storage medium based on pattern matching corresponding relation
CN109960941A (en) * 2019-03-18 2019-07-02 中国科学院计算机网络信息中心 Data access method, device and storage medium based on via Self-reconfiguration
CN110365696A (en) * 2019-07-25 2019-10-22 海南昊霖环保科技有限公司 A kind of browser and number adopt instrument realtime communication system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060161982A1 (en) * 2005-01-18 2006-07-20 Chari Suresh N Intrusion detection system
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing
WO2007113709A1 (en) * 2006-03-30 2007-10-11 Koninklijke Philips Electronics N.V. Method and apparatus for assigning an application to a security restriction
WO2010065222A1 (en) * 2008-12-02 2010-06-10 Microsoft Corporation Sandboxed execution of plug-ins
CN102184356A (en) * 2011-04-21 2011-09-14 奇智软件(北京)有限公司 Method, device and safety browser by utilizing sandbox technology to defend

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US7120698B2 (en) * 2001-09-20 2006-10-10 Sun Microsystems, Inc. Access control for an e-commerce application
CN100464301C (en) * 2007-08-09 2009-02-25 威盛电子股份有限公司 Applied program processing method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing
US20060161982A1 (en) * 2005-01-18 2006-07-20 Chari Suresh N Intrusion detection system
WO2007113709A1 (en) * 2006-03-30 2007-10-11 Koninklijke Philips Electronics N.V. Method and apparatus for assigning an application to a security restriction
WO2010065222A1 (en) * 2008-12-02 2010-06-10 Microsoft Corporation Sandboxed execution of plug-ins
CN102184356A (en) * 2011-04-21 2011-09-14 奇智软件(北京)有限公司 Method, device and safety browser by utilizing sandbox technology to defend

Also Published As

Publication number Publication date
CN102184356B (en) 2014-04-02
CN102184356A (en) 2011-09-14

Similar Documents

Publication Publication Date Title
WO2012142943A1 (en) Method and device for defense by using sandbox, and secure browser
US11068591B2 (en) Cybersecurity systems and techniques
Monnappa Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
JP6639588B2 (en) System and method for detecting malicious files
US10291634B2 (en) System and method for determining summary events of an attack
JP5396051B2 (en) Method and system for creating and updating a database of authorized files and trusted domains
US10803170B2 (en) Methods and apparatus for dealing with malware
JP4929275B2 (en) Application identity and ranking services
US20140373137A1 (en) Modification of application store output
US11409847B2 (en) Source-based authentication for a license of a license data structure
Jones Ransomware analysis and defense-wannacry and the win32 environment
Retzkin Hands-On Dark Web Analysis: Learn what goes on in the Dark Web, and how to work with it
CN103942488B (en) Method, device and the secure browser being on the defensive using sandbox technology
CN103514401A (en) Method and device for defense by utilization of sandbox technology and security browser
Herr et al. Milware: Identification and implications of state authored malicious software
Muhovic Behavioural analysis of malware using custom sandbox environments
RU2592383C1 (en) Method of creating antivirus record when detecting malicious code in random-access memory
Van Mieghem Detecting malicious behaviour using system calls
Moreb Malware Forensics for Volatile and Nonvolatile Memory in Mobile Devices
Pektaş Classification des logiciels malveillants basée sur le comportement à l'aide de l'apprentissage automatique en ligne
Lang et al. Advanced Dynamic Analysis of Cryptolocker
Chamorro Antivirus software advising system
CN104050411A (en) Active defense method
Jones et al. Ransomware Analysis and Defense

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12774492

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12774492

Country of ref document: EP

Kind code of ref document: A1